All Products
Search

This Product

    Alibaba Cloud Service Mesh:Enable the CNI plug-in to improve security

    Document Center

    Alibaba Cloud Service Mesh:Enable the CNI plug-in to improve security

    Last Updated:Mar 11, 2026

    By default, Service Mesh (ASM) injects an istio-init init container into each pod to configure iptables rules for traffic redirection. This init container requires the NET_ADMIN capability, which means any user or service account deploying pods must have elevated Kubernetes role-based access control (RBAC) permissions. The ASM Container Network Interface (CNI) plug-in reduces this requirement by moving iptables configuration to the node-level CNI chain, so pods no longer need the istio-init container or elevated privileges.

    How it works

    Without the CNI plug-in (default)

    ASM injects an istio-init container into each pod. This init container configures iptables rules to redirect traffic through the Envoy sidecar proxy before other containers start. Because istio-init modifies the pod's network namespace, it requires the NET_ADMIN capability -- meaning any user or service account deploying pods must have elevated RBAC permissions.

    With the CNI plug-in

    The ASM CNI plug-in moves iptables configuration from the istio-init container to the node-level CNI chain. Traffic redirection rules are applied during the pod's network setup phase, before any containers start. Pods no longer need the istio-init container or the NET_ADMIN capability.

    Architecture diagram showing how the CNI plug-in configures traffic redirection at the node level

    Each pod's iptables rules belong to its own network namespace, so changes to one pod do not affect other pods on the same node.

    The ASM CNI plug-in does not replace your cluster's existing CNI. It is installed as a chained plug-in whose configuration is added to the existing CNI plug-ins so that it can be called when containers are started.

    Pod identification

    The CNI plug-in applies traffic redirection only to pods that meet all of the following conditions:

    ConditionDescription
    Namespace not excludedThe pod's namespace is not in the excludeNamespaces list
    Sidecar presentThe pod contains a container named istio-proxy
    Multi-containerThe pod contains more than one container
    Injection not disabledThe pod either has no sidecar.istio.io/inject annotation, or the annotation value is not false

    Prerequisites

    Before you begin, make sure that you have:

    Enable the CNI plug-in

    1. Log on to the ASM console.

    2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Data Plane Component Management > ASM CNI Plug-in.

    3. On the ASM CNI Plug-in page, turn on Enable Grid CNI Plugin, select the namespaces to exclude, and then click Update Settings.

      Pods in excluded namespaces continue to use the istio-init container for network configuration instead of the CNI plug-in.

    4. Wait until the Status column changes from Updating to Running. The CNI plug-in is now enabled.

    Verify the iptables rules

    Deploy the Bookinfo sample application to confirm that the CNI plug-in configures iptables rules correctly.

    1. Create a file named bookinfo.yaml with the following content:

      bookinfo.yaml

      ##################################################################################################
# Details service
##################################################################################################
apiVersion: v1
kind: Service
metadata:
  name: details
  labels:
    app: details
    service: details
spec:
  ports:
  - port: 9080
    name: http
  selector:
    app: details
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: bookinfo-details
  labels:
    account: details
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: details-v1
  labels:
    app: details
    version: v1
spec:
  replicas: 1
  selector:
    matchLabels:
      app: details
      version: v1
  template:
    metadata:
      labels:
        app: details
        version: v1
    spec:
      serviceAccountName: bookinfo-details
      containers:
      - name: details
        image: docker.io/istio/examples-bookinfo-details-v1:1.16.2
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 9080
        securityContext:
          runAsUser: 1000
---
##################################################################################################
# Ratings service
##################################################################################################
apiVersion: v1
kind: Service
metadata:
  name: ratings
  labels:
    app: ratings
    service: ratings
spec:
  ports:
  - port: 9080
    name: http
  selector:
    app: ratings
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: bookinfo-ratings
  labels:
    account: ratings
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: ratings-v1
  labels:
    app: ratings
    version: v1
spec:
  replicas: 1
  selector:
    matchLabels:
      app: ratings
      version: v1
  template:
    metadata:
      labels:
        app: ratings
        version: v1
    spec:
      serviceAccountName: bookinfo-ratings
      containers:
      - name: ratings
        image: docker.io/istio/examples-bookinfo-ratings-v1:1.16.2
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 9080
        securityContext:
          runAsUser: 1000
---
##################################################################################################
# Reviews service
##################################################################################################
apiVersion: v1
kind: Service
metadata:
  name: reviews
  labels:
    app: reviews
    service: reviews
spec:
  ports:
  - port: 9080
    name: http
  selector:
    app: reviews
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: bookinfo-reviews
  labels:
    account: reviews
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: reviews-v1
  labels:
    app: reviews
    version: v1
spec:
  replicas: 1
  selector:
    matchLabels:
      app: reviews
      version: v1
  template:
    metadata:
      labels:
        app: reviews
        version: v1
    spec:
      serviceAccountName: bookinfo-reviews
      containers:
      - name: reviews
        image: docker.io/istio/examples-bookinfo-reviews-v1:1.16.2
        imagePullPolicy: IfNotPresent
        env:
        - name: LOG_DIR
          value: "/tmp/logs"
        ports:
        - containerPort: 9080
        volumeMounts:
        - name: tmp
          mountPath: /tmp
        - name: wlp-output
          mountPath: /opt/ibm/wlp/output
        securityContext:
          runAsUser: 1000
      volumes:
      - name: wlp-output
        emptyDir: {}
      - name: tmp
        emptyDir: {}
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: reviews-v2
  labels:
    app: reviews
    version: v2
spec:
  replicas: 1
  selector:
    matchLabels:
      app: reviews
      version: v2
  template:
    metadata:
      labels:
        app: reviews
        version: v2
    spec:
      serviceAccountName: bookinfo-reviews
      containers:
      - name: reviews
        image: docker.io/istio/examples-bookinfo-reviews-v2:1.16.2
        imagePullPolicy: IfNotPresent
        env:
        - name: LOG_DIR
          value: "/tmp/logs"
        ports:
        - containerPort: 9080
        volumeMounts:
        - name: tmp
          mountPath: /tmp
        - name: wlp-output
          mountPath: /opt/ibm/wlp/output
        securityContext:
          runAsUser: 1000
      volumes:
      - name: wlp-output
        emptyDir: {}
      - name: tmp
        emptyDir: {}
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: reviews-v3
  labels:
    app: reviews
    version: v3
spec:
  replicas: 1
  selector:
    matchLabels:
      app: reviews
      version: v3
  template:
    metadata:
      labels:
        app: reviews
        version: v3
    spec:
      serviceAccountName: bookinfo-reviews
      containers:
      - name: reviews
        image: docker.io/istio/examples-bookinfo-reviews-v3:1.16.2
        imagePullPolicy: IfNotPresent
        env:
        - name: LOG_DIR
          value: "/tmp/logs"
        ports:
        - containerPort: 9080
        volumeMounts:
        - name: tmp
          mountPath: /tmp
        - name: wlp-output
          mountPath: /opt/ibm/wlp/output
        securityContext:
          runAsUser: 1000
      volumes:
      - name: wlp-output
        emptyDir: {}
      - name: tmp
        emptyDir: {}
---
##################################################################################################
# Productpage services
##################################################################################################
apiVersion: v1
kind: Service
metadata:
  name: productpage
  labels:
    app: productpage
    service: productpage
spec:
  ports:
  - port: 9080
    name: http
  selector:
    app: productpage
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: bookinfo-productpage
  labels:
    account: productpage
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: productpage-v1
  labels:
    app: productpage
    version: v1
spec:
  replicas: 1
  selector:
    matchLabels:
      app: productpage
      version: v1
  template:
    metadata:
      labels:
        app: productpage
        version: v1
    spec:
      serviceAccountName: bookinfo-productpage
      containers:
      - name: productpage
        image: docker.io/istio/examples-bookinfo-productpage-v1:1.16.2
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 9080
        volumeMounts:
        - name: tmp
          mountPath: /tmp
        securityContext:
          runAsUser: 1000
      volumes:
      - name: tmp
        emptyDir: {}
---

    2. Deploy the Bookinfo application:

      kubectl apply -f bookinfo.yaml

    3. Get the container ID and node name of the productpage pod:

      ns=default
podname=$(kubectl get pod | grep productpage | awk '{print $1}')

# For Docker runtime:
container_id=$(kubectl get pod -n ${ns} ${podname} -o jsonpath="{.status.containerStatuses[?(@.name=='istio-proxy')].containerID}" | sed -n 's/docker:\/\/\(.*\)/\1/p')

# For containerd runtime:
container_id=$(kubectl get pod -n ${ns} ${podname} -o jsonpath="{.status.containerStatuses[?(@.name=='istio-proxy')].containerID}" | sed -n 's/containerd:\/\/\(.*\)/\1/p')

echo $container_id

# Get the node name
kubectl get pod ${podname} -o jsonpath="{.spec.nodeName}"

    4. Log on to the node (for example, via SSH) and get the PID of the container:

      # For Docker runtime:
docker inspect --format '{{ .State.Pid }}' $container_id

# For containerd runtime:
crictl inspect $container_id | jq ".info.pid"

    5. Enter the network namespace of the productpage container and list the NAT table rules:

      nsenter -t <pid> -n iptables -L -t nat -n -v --line-numbers -x

      Replace <pid> with the PID from the previous step.

      Expected output

      Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
num      pkts      bytes target     prot opt in     out     source               destination
1       34938  2096280 ISTIO_INBOUND  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num      pkts      bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
num      pkts      bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num      pkts      bytes target     prot opt in     out     source               destination
1          17     1020 ISTIO_OUTPUT  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ISTIO_INBOUND (1 references)
num      pkts      bytes target     prot opt in     out     source               destination
1           0        0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:15008
2           0        0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
3           0        0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:15020
4       34938  2096280 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:15021
5           0        0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:15090
6           0        0 ISTIO_IN_REDIRECT  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ISTIO_REDIRECT (1 references)
num      pkts      bytes target     prot opt in     out     source               destination
1           0        0 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            redir ports 15001

Chain ISTIO_IN_REDIRECT (3 references)
num      pkts      bytes target     prot opt in     out     source               destination
1           1       60 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            redir ports 15006

Chain ISTIO_OUTPUT (1 references)
num      pkts      bytes target     prot opt in     out     source               destination
1           2      120 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:15020
2           0        0 RETURN     all  --  *      lo      127.0.X.X            0.0.0.0/0
3           1       60 ISTIO_IN_REDIRECT  all  --  *      lo      0.0.0.0/0           !127.0.X.X            owner UID match 1337
4           0        0 RETURN     all  --  *      lo      0.0.0.0/0            0.0.0.0/0            ! owner UID match 1337
5          14      840 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            owner UID match 1337
6           0        0 ISTIO_IN_REDIRECT  all  --  *      lo      0.0.0.0/0           !127.0.X.X            owner GID match 1337
7           0        0 RETURN     all  --  *      lo      0.0.0.0/0            0.0.0.0/0            ! owner GID match 1337
8           0        0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            owner GID match 1337
9           0        0 RETURN     all  --  *      *       0.0.0.0/0            127.0.X.X
10          0        0 RETURN     all  --  *      *       0.0.0.0/0            192.168.0.1
11          0        0 ISTIO_REDIRECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

      The output contains Istio-specific chains (ISTIO_INBOUND, ISTIO_REDIRECT, ISTIO_IN_REDIRECT, and ISTIO_OUTPUT), confirming that the CNI plug-in has configured the iptables rules correctly.

    What's next