Allow requests to Kubernetes API from an init container with Istio CNI plugin

Question

I had istio configured but without the CNI addon enabled.

In that time, I had an init container with a service account that would call the Kubernetes API to verify a couple of things (via kubectl).

Since I enabled the CNI addon, this init container fails with the following message:

The connection to the server 10.23.64.1:443 was refused - did you specify the right host or port?

I tried removing all my network policies to see if that was the issue, but same result. I also gave the service account that this pods uses the cluster-admin role, but it didn't do the trick.

I tested with both 1.6 and 1.7 branches of Istio.

What is the issue here? Other pods without this init container work fine.

Answer 1

In order to have init container network connectivity with istio cni enabled please follow the guide for a workaround from istio documentation:

Compatibility with application init containers

The Istio CNI plugin may cause networking connectivity problems for any application initContainers. When using Istio CNI, kubelet starts an injected pod with the following steps:

1. The Istio CNI plugin sets up traffic redirection to the Istio sidecar proxy within the pod.
2. All init containers execute and complete successfully.
3. The Istio sidecar proxy starts in the pod along with the pod’s other containers.

Init containers execute before the sidecar proxy starts, which can result in traffic loss during their execution. Avoid this traffic loss with one or both of the following settings:

• Set the traffic.sidecar.istio.io/excludeOutboundIPRanges annotation to disable redirecting traffic to any CIDRs the init containers communicate with.
• Set the traffic.sidecar.istio.io/excludeOutboundPorts annotation to disable redirecting traffic to the specific outbound ports the init containers use.