Running Istio on GKE Autopilot

sakajunquality
sakajunlabs
Published in
4 min readFeb 25, 2021

GKE Autopilot is announced so tested Istio on it.

This info is outdated

TL;DR

  • As of Feb. 25 2021, Istio does not work on GKE Autopilot
  • MutatingWebhookConfiguration cannot be created from end user
  • Linux capabilities “NET_ADMIN” is not allowed

GKE Autopilot

GKE is a fully managed Kubernetes service on Google Cloud. GKE Autopilot was announced today. With Autopilot you don’t have to manage nodes. So node-related operations like upgrading, scaling or changing OS are not necessary.

Standard and Autopilot

If you try to create a new GKE cluster on Cloud Console, you will choose Autopilot and Standard now.

Limitations

For providing this feature, there’re some limitations at this moment.

Istio

Istio is an open-source service mesh software. See the official website for more detail.

Creating Autopilot Clusters

Let’s create the cluster first. If Autopilot option does not appear on Cloud Console, you can create via CLI.

Like this,

gcloud container clusters create-auto test-autopilot --region asia-northeast1

This is only for testing, for production-level usage, consider specifying VPCs.

Installing Istio

Next step is installing Istio. Istio have three options for this: istioctl, operator and Helm. This time I used istioctl install as this is the easiest.

istioctl install

The command fails.

This will install the Istio 1.9.0  profile with ["Istio core" "Istiod" "Ingress gateways"] components into the cluster. Proceed? (y/N) y✔ Istio core installed- Processing resources for Istiod.                                                                                                                                                                                                                                                                                                           2021-02-25T03:44:11.256246Z     error   installer       failed to update resource with server-side apply for obj MutatingWebhookConfiguration//istio-sidecar-injector: mutatingwebhookconfigurations.admissionregistration.k8s.io "istio-sidecar-injector" is forbidden: User "[User Email]" cannot patch resource "mutatingwebhookconfigurations" in API group "admissionregistration.k8s.io" at the cluster scope: GKEAutopilot authz: cluster scoped resource "mutatingwebhookconfigurations/" is managed and access is denied✘ Istiod encountered an error: failed to update resource with server-side apply for obj MutatingWebhookConfiguration//istio-sidecar-injector: mutatingwebhookconfigurations.admissionregistration.k8s.io "istio-sidecar-injector" is forbidden: User "[User Email]" cannot patch resource "mutatingwebhookconfigurations" in API group "admissionregistration.k8s.io" at the cluster scope: GKEAutopilot authz: cluster scoped resource "mutatingwebhookconfigurations/" is managed and access is denied✔ Ingress gateways installed- Pruning removed resources                                                                                                                                                                                                                                                                                                                  2021-02-25T03:46:55.287874Z     warn    installer       retrieving resources to prune type admissionregistration.k8s.io/v1beta1, Kind=MutatingWebhookConfiguration: mutatingwebhookconfigurations.admissionregistration.k8s.io is forbidden: User "[User Email]" cannot list resource "mutatingwebhookconfigurations" in API group "admissionregistration.k8s.io" at the cluster scope: GKEAutopilot authz: cluster scoped resource "mutatingwebhookconfigurations/" is managed and access is denied not foundError: failed to install manifests: errors occurred during operation

For sidecar injection, installer tries to create a MutatingWebhookConfiguration called istio-sidecar-injector. This limitation is mentioned here.

FYI: run the following for sidecar injection mechanism.

kubectl get MutatingWebhookConfiguration istio-sidecar-injector -o yaml

This is okay anyway as it is possible to manually inject envoy proxy.

Istiod and Ingress Gateway looks fine

istiod, a control plane, and istio-ingressgateway is running normally.

GCLB is also provisioned.

But looking at the istiod’s log, istiod is failing creatign configmap in kube-system. Autopilot does not allow modifing resources inside kube-system.

2021-02-25T05:53:36.234474Z     info    Work item handle failed (error when creating configmap istio-ca-root-cert: configmaps is forbidden: User "system:serviceaccount:istio-system:istiod-service-account" cannot create resource "configmaps" in API group "" in the namespace "kube-system": GKEAutopilot authz: the namespace "kube-system" is managed and the request's verb "create" is denied), retry after delay 1s

Deploying Apps

Let’s deploy apps. I don’t think it is going to work though anyway. Here I’m going to deploy sample “Book Application”. As sidecar injection is not available, adding sidecar into the manifest is required before applying using istioctl kube-inject.

kubectl apply -f <(istioctl kube-inject -f samples/bookinfo/platform/kube/bookinfo.yaml)

istio-init doesn’t work

As a result it failed. NET_ADMIN, in the linux capabilities, is forbidden, which is documented here.

Error from server ([denied by autogke-default-linux-capabilities] linux capability <{"NET_ADMIN"}> on container <istio-init> not allowed; Autopilot only allows the capabilities: <["SETPCAP", "MKNOD", "AUDIT_WRITE", "CHOWN", "NET_RAW", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "SETGID", "SETUID", "NET_BIND_SERVICE", "SYS_CHROOT", "SETFCAP"]>. Requesting user: <[User Email]> and groups: <["system:authenticated"]>): error when creating "/dev/fd/63": admission webhook "validation.gatekeeper.sh" denied the request: [denied by autogke-default-linux-capabilities] linux capability <{"NET_ADMIN"}> on container <istio-init> not allowed; Autopilot only allow...

Here’s what istio-init is doing. In this initContainers, istio is trying to change traffic into/from application container to envoy. Due to the linux capabilities limitations this is failing.

      initContainers:
- args:
- istio-iptables
- -p
- "15001"
- -z
- "15006"
- -u
- "1337"
- -m
- REDIRECT
- -i
- '*'
- -x
- ""
- -b
- '*'
- -d
- 15090,15021,15020
image: docker.io/istio/proxyv2:1.9.0
imagePullPolicy: Always
name: istio-init

Conclusions

  • Istio cannot be used with GKE Autopilot at this moment.
  • Still Autopilot is really nice in a way that user is free from node management.
  • Looking forward to the further product improvements!

--

--

sakajunquality
sakajunlabs

Google Developer Expert, Cloud. Software Engineer, Site Reliability. Photographer. #kubernetes #bigquery