部署istio官方示例bookinfo,pod的状态是Init:Blocked
kubectl apply -f istio-test-namespace.yaml
kubectl label namespace istio-test istio-injection=enabled --overwrite=true
kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -n istio-test
原因,
安装 Istio 的核心部分时,istio-demo.yaml文件里面的ConfigMap istio-sidecar-injector ,有一段配置是 initContainers,
securityContext:
capabilities:
add:
- NET_ADMIN
privileged: true #开启privileged权限
只需要修改kubelet, kube-apiserver的启动配置参数,即可
/etc/default/kubelet:
`KUBELET_OPTS="--allow_privileged=true"`
/etc/default/kube-apiserver:
`KUBE_APISERVER_OPTS="--allow_privileged=true"`
最后重启kubelet, kube-apiserver的服务
systemctl daemon-reload
systemctl restart kube-apiserver
systemctl restart kubelet