Skip to content

Istio-init container fails to start when SElinux is enabled on RHEL 8.x

Article Number: 000020241

Environment

OS: RHEL 8.x
ISTIO Chart Version: v1.24.1
Kubernetes version: 1.30.x, 1.31.x, 1.32.x
Rancher Version : v2.9.x, v2.10.x, 2.11.x

Situation

Starting a workload on Istio-enabled namespace fails as the istio-init container failed to start.

The istio-init container shows below error:

2025-07-01T21:53:04.349856Z     info    Running iptables restore with: iptables-legacy-restore and the following input:
* nat
-N ISTIO_INBOUND
-N ISTIO_REDIRECT
-N ISTIO_IN_REDIRECT
-N ISTIO_OUTPUT
-A ISTIO_INBOUND -p tcp --dport 15008 -j RETURN
-A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001
-A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15006
-A PREROUTING -p tcp -j ISTIO_INBOUND
-A ISTIO_INBOUND -p tcp --dport 15090 -j RETURN
-A ISTIO_INBOUND -p tcp --dport 15021 -j RETURN
-A ISTIO_INBOUND -p tcp --dport 15020 -j RETURN
-A ISTIO_INBOUND -p tcp -j ISTIO_IN_REDIRECT
-A OUTPUT -p tcp -j ISTIO_OUTPUT
-A ISTIO_OUTPUT -o lo -s 127.0.0.6/32 -j RETURN
-A ISTIO_OUTPUT -o lo ! -d 127.0.0.1/32 -p tcp ! --dport 15008 -m owner --uid-owner 1337 -j ISTIO_IN_REDIRECT
-A ISTIO_OUTPUT -o lo -m owner ! --uid-owner 1337 -j RETURN
-A ISTIO_OUTPUT -m owner --uid-owner 1337 -j RETURN
-A ISTIO_OUTPUT -o lo ! -d 127.0.0.1/32 -p tcp ! --dport 15008 -m owner --gid-owner 1337 -j ISTIO_IN_REDIRECT
-A ISTIO_OUTPUT -o lo -m owner ! --gid-owner 1337 -j RETURN
-A ISTIO_OUTPUT -m owner --gid-owner 1337 -j RETURN
-A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN
-A ISTIO_OUTPUT -j ISTIO_REDIRECT
COMMIT
2025-07-01T21:53:04.349880Z     info    Running command (with wait lock): iptables-legacy-restore --noflush --wait=30
2025-07-01T21:53:04.350989Z     error   Command error output: xtables other problem: Extension REDIRECT revision 0 not supported, missing kernel module?
Warning: Extension owner revision 0 not supported, missing kernel module?
Warning: Extension owner is not supported, missing kernel module?
Warning: Extension owner is not supported, missing kernel module?
Warning: Extension owner is not supported, missing kernel module?
Warning: Extension owner is not supported, missing kernel module?
Warning: Extension owner is not supported, missing kernel module?
iptables-restore: line 24 failed
2025-07-01T21:53:04.351011Z     info    Running command (without lock): iptables-legacy-save
2025-07-01T21:53:04.352944Z     info    Command output:
# Generated by iptables-save v1.8.10 on Tue Jul  1 21:53:04 2025
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Tue Jul  1 21:53:04 2025

2025-07-01T21:53:04.352956Z     error   exit status 1

Cause

The issue is caused by SELinux which prevents the istio-init to load kernel modules that are needed for the iptables rules.

Resolution

Execute the modprobe in the below order to fix this without a reboot.

modprobe iptable_raw
modprobe xt_REDIRECT
modprobe xt_connmark
modprobe xt_owner
modprobe xt_tcpudp
modprobe x_tables

To load the modules automatically during boot, create a file inside /etc/modules-load.d/ as shown below.

cat >/etc/modules-load.d/istio-iptables.conf <<EOF
iptable_raw
xt_REDIRECT
xt_connmark
xt_owner
xt_tcpudp
x_tables
EOF