Follow these instructions to prepare an OpenShift cluster for Istio.
By default, OpenShift doesn’t allow containers running with user ID 1337.
You must enable containers running with UID 1337 for Istio’s service accounts
by running the command below. Make sure to replace
istio-system if you are
deploying Istio in another namespace:
$ oc adm policy add-scc-to-group anyuid system:serviceaccounts:istio-system
Install Istio using the OpenShift profile:
$ istioctl install --set profile=openshift
After installation is complete, expose an OpenShift route for the ingress gateway.
$ oc -n istio-system expose svc/istio-ingressgateway --port=http2
Security context constraints for application sidecars
The Istio sidecar injected into each application pod runs with user ID 1337, which is not allowed by default in OpenShift. To allow this user ID to be used, execute the following commands. Replace
<target-namespace> with the appropriate namespace.
$ oc adm policy add-scc-to-group anyuid system:serviceaccounts:<target-namespace>
When removing your application, remove the permissions as follows.
$ oc adm policy remove-scc-from-group anyuid system:serviceaccounts:<target-namespace>