Istio 100.0.0 v2 : book demo app deployment fails on SELinux RHEL 8.4 enabled on the clusters #33291
Description
What kind of request is this (question/bug/enhancement/feature request):
Bug
Steps to reproduce (least amount of steps as possible):
SELinux RHEL 8.4 docker-20.10.7, 0.2.rc1-RPM
- Create a custom rke1 SELinux RHEL enabled cluster from the dashboard with 3 worker nodes, 1 etcd and 1 cp
- Once the clusters are up and active
- deploy istio v2 from the dashboard UI -->apps & Marketplace--> istio. Version: 100.0.0
- Istio deploys successfully
- create a namespace with istio sidecar injection enabled.
- create the book demo app. The pods of the app are seen stuck in Updating.
Result:
istio-init container is in crashloopBackoff with the following error:
iptables-restore --noflush /tmp/iptables-rules-1624044808704787141.txt290487748
iptables-save
iptables-restore v1.6.1: iptables-restore: unable to initialize table 'nat'
Error occurred at line: 1
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
panic: exit status 2
goroutine 1 [running]:
istio.io/istio/tools/istio-iptables/pkg/dependencies.(*RealDependencies).RunOrFail(0xd819c0, 0x9739cb, 0x10, 0xc00000cba0, 0x2, 0x2)
istio.io/istio@/tools/istio-iptables/pkg/dependencies/implementation.go:44 +0x96
istio.io/istio/tools/istio-iptables/pkg/cmd.(*IptablesConfigurator).executeIptablesRestoreCommand(0xc0000efd30, 0x7f31b4f63001, 0x0, 0x0)
istio.io/istio@/tools/istio-iptables/pkg/cmd/run.go:484 +0x3aa
istio.io/istio/tools/istio-iptables/pkg/cmd.(*IptablesConfigurator).executeCommands(0xc0000efd30)
istio.io/istio@/tools/istio-iptables/pkg/cmd/run.go:491 +0x45
istio.io/istio/tools/istio-iptables/pkg/cmd.(*IptablesConfigurator).run(0xc0000efd30)
istio.io/istio@/tools/istio-iptables/pkg/cmd/run.go:438 +0x2507
istio.io/istio/tools/istio-iptables/pkg/cmd.glob..func1(0xd5c740, 0xc0000d2700, 0x0, 0x10)
istio.io/istio@/tools/istio-iptables/pkg/cmd/root.go:56 +0x14e
github.com/spf13/cobra.(*Command).execute(0xd5c740, 0xc00001e130, 0x10, 0x11, 0xd5c740, 0xc00001e130)
github.com/spf13/cobra@v0.0.5/command.go:830 +0x2aa
github.com/spf13/cobra.(*Command).ExecuteC(0xd5c740, 0x40574f, 0xc000080058, 0x0)
github.com/spf13/cobra@v0.0.5/command.go:914 +0x2fb
github.com/spf13/cobra.(*Command).Execute(...)
github.com/spf13/cobra@v0.0.5/command.go:864
istio.io/istio/tools/istio-iptables/pkg/cmd.Execute()
istio.io/istio@/tools/istio-iptables/pkg/cmd/root.go:284 +0x2d
main.main()
istio.io/istio@/tools/istio-iptables/main.go:22 +0x20
Expected Result:
The istio-init container should come up active and the errors should not be seen
Other details that may be helpful:
If we set PSP to unrestricted for SELinux RHEL 8.4 hardened clusters and deploy the book demo app, the app deploys successfully without any errors.
Environment information
- Rancher version (
rancher/rancher/rancher/serverimage tag or shown bottom left in the UI):
master-2ca2ad9c602f1d64e30a9ccfe093c6c39aefc728-head
- Installation option (single install/HA): Single
Cluster information
- Cluster type (Hosted/Infrastructure Provider/Custom/Imported): Node driver
- Kubernetes version (use
kubectl version):
v1.20.7
- Docker version (use
docker version):
docker-20.10.7