- Shows you how to use Istio 1.4 on Kubernetes 1.14+ with a modicum of runtime security for your workloads.
- Specifically it installs Istio with CNI support, and allows the use of restrictive PodSecurityPolicies for your workloads.
- It is designed for VMware PKS, but doesn't require it ... (just change the CNI bin dir and excluded namespaces in
values-cni.yml
, also swap the ClusterRolepks-privileged
andpks-restricted
mentioned throughout these files with your own PSP roles). - It doesn't fix the need for Istio itself to run as root, but that should be fixed in a future Istio release as it's already fixed in trunk.
- You are logged into your cluster as a cluster admin, K8s 1.14 at least