Skip to content

Istio-init container fails to start when SElinux is enabled on RHEL 7.x

This document (000020241) is provided subject to the disclaimer at the end of this document.

Environment

OS: RHEL 7.x

ISTIO Chart Version: v1.8.300

Rancher Version : v2.5.7

Situation

Starting a workload on Istio-enabled namespace fails as the istio-init container failed to start.

The istio-init container shows below error;

The error is:
nat
-N ISTIO_INBOUND
-N ISTIO_REDIRECT
-N ISTIO_IN_REDIRECT
-N ISTIO_OUTPUT
-A ISTIO_INBOUND -p tcp --dport 15008 -j RETURN
-A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001
-A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15006
-A PREROUTING -p tcp -j ISTIO_INBOUND
-A ISTIO_INBOUND -p tcp --dport 22 -j RETURN
-A ISTIO_INBOUND -p tcp --dport 15090 -j RETURN
-A ISTIO_INBOUND -p tcp --dport 15021 -j RETURN
-A ISTIO_INBOUND -p tcp --dport 15020 -j RETURN
-A ISTIO_INBOUND -p tcp -j ISTIO_IN_REDIRECT
-A OUTPUT -p tcp -j ISTIO_OUTPUT
-A ISTIO_OUTPUT -o lo -s 127.0.0.6/32 -j RETURN
-A ISTIO_OUTPUT -o lo ! -d 127.0.0.1/32 -m owner --uid-owner 1337 -j ISTIO_IN_REDIRECT
-A ISTIO_OUTPUT -o lo -m owner ! --uid-owner 1337 -j RETURN
-A ISTIO_OUTPUT -m owner --uid-owner 1337 -j RETURN
-A ISTIO_OUTPUT -o lo ! -d 127.0.0.1/32 -m owner --gid-owner 1337 -j ISTIO_IN_REDIRECT
-A ISTIO_OUTPUT -o lo -m owner ! --gid-owner 1337 -j RETURN
-A ISTIO_OUTPUT -m owner --gid-owner 1337 -j RETURN
-A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN
-A ISTIO_OUTPUT -j ISTIO_REDIRECT
COMMIT

iptables-restore --noflush /tmp/iptables-rules-1618985143596701894.txt019825926
iptables-restore: line 25 failed
iptables-save

Resolution

Execute the modprobe in the below order to fix this without a reboot.

modprobe br_netfilter
modprobe nf_nat_redirect
modprobe xt_REDIRECT
modprobe xt_owner

To load the modules automatically during boot, create a file inside /etc/modules-load.d/ as shown below.

cat >/etc/modules-load.d/istio-iptables.conf <<EOF
br_netfilter
nf_nat_redirect
xt_REDIRECT
xt_owner
EOF

Cause

The issue is caused by SELinux which prevents the istio-init to load kernel modules that are needed for the iptables rules.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.