Error from server (Forbidden): error when creating "istio-0.6.0/install/kubernetes/istio-auth.yaml": clusterroles.rbac.authorization.k8s.io "istio-sidecar-injector-istio-system" is forbidden: attempt to grant extra privileges #4106
Description
running kubectl apply -f istio-0.6.0/install/kubernetes/istio-auth.yaml on a cluster that had 0.5.x before:
...
deployment "istio-ca" configured
Error from server (Forbidden): error when applying patch:
{"metadata":{"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"rbac.authorization.k8s.io/v1beta1\",\"kind\":\"ClusterRole\",\"metadata\":{\"annotations\":{},\"name\":\"istio-pilot-istio-system\",\"namespace\":\"\"},\"rules\":[{\"apiGroups\":[\"config.istio.io\"],\"resources\":[\"*\"],\"verbs\":[\"*\"]},{\"apiGroups\":[\"apiextensions.k8s.io\"],\"resources\":[\"customresourcedefinitions\"],\"verbs\":[\"*\"]},{\"apiGroups\":[\"extensions\"],\"resources\":[\"thirdpartyresources\",\"thirdpartyresources.extensions\",\"ingresses\",\"ingresses/status\"],\"verbs\":[\"*\"]},{\"apiGroups\":[\"\"],\"resources\":[\"configmaps\"],\"verbs\":[\"create\",\"get\",\"list\",\"watch\",\"update\"]},{\"apiGroups\":[\"\"],\"resources\":[\"endpoints\",\"pods\",\"services\"],\"verbs\":[\"get\",\"list\",\"watch\"]},{\"apiGroups\":[\"\"],\"resources\":[\"namespaces\",\"nodes\",\"secrets\"],\"verbs\":[\"get\",\"list\",\"watch\"]},{\"apiGroups\":[\"admissionregistration.k8s.io\"],\"resources\":[\"externaladmissionhookconfigurations\"],\"verbs\":[\"create\",\"update\",\"delete\"]}]}\n"},"namespace":""},"rules":[{"apiGroups":["config.istio.io"],"resources":["*"],"verbs":["*"]},{"apiGroups":["apiextensions.k8s.io"],"resources":["customresourcedefinitions"],"verbs":["*"]},{"apiGroups":["extensions"],"resources":["thirdpartyresources","thirdpartyresources.extensions","ingresses","ingresses/status"],"verbs":["*"]},{"apiGroups":[""],"resources":["configmaps"],"verbs":["create","get","list","watch","update"]},{"apiGroups":[""],"resources":["endpoints","pods","services"],"verbs":["get","list","watch"]},{"apiGroups":[""],"resources":["namespaces","nodes","secrets"],"verbs":["get","list","watch"]},{"apiGroups":["admissionregistration.k8s.io"],"resources":["externaladmissionhookconfigurations"],"verbs":["create","update","delete"]}]}
to:
&{0xc4223ce300 0xc42057e770 istio-pilot-istio-system istio-0.6.0/install/kubernetes/istio-auth.yaml 0xc421518888 0xc421582940 3260 false}
for: "istio-0.6.0/install/kubernetes/istio-auth.yaml": clusterroles.rbac.authorization.k8s.io "istio-pilot-istio-system" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["*"], APIGroups:["config.istio.io"], Verbs:["*"]} PolicyRule{Resources:["customresourcedefinitions"], APIGroups:["apiextensions.k8s.io"], Verbs:["*"]} PolicyRule{Resources:["thirdpartyresources"], APIGroups:["extensions"], Verbs:["*"]} PolicyRule{Resources:["thirdpartyresources.extensions"], APIGroups:["extensions"], Verbs:["*"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["*"]} PolicyRule{Resources:["ingresses/status"], APIGroups:["extensions"], Verbs:["*"]} PolicyRule{Resources:["configmaps"], APIGroups:[""], Verbs:["create"]} PolicyRule{Resources:["configmaps"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["configmaps"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["configmaps"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["configmaps"], APIGroups:[""], Verbs:["update"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["namespaces"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["namespaces"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["namespaces"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["nodes"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["nodes"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["nodes"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["externaladmissionhookconfigurations"], APIGroups:["admissionregistration.k8s.io"], Verbs:["create"]} PolicyRule{Resources:["externaladmissionhookconfigurations"], APIGroups:["admissionregistration.k8s.io"], Verbs:["update"]} PolicyRule{Resources:["externaladmissionhookconfigurations"], APIGroups:["admissionregistration.k8s.io"], Verbs:["delete"]}] user=&{ldemailly@google.com [system:authenticated] map[authenticator:[GKE]]} ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{Resources:["selfsubjectrulesreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*" "/version"], Verbs:["get"]}] ruleResolutionErrors=[]
Error from server (Forbidden): error when creating "istio-0.6.0/install/kubernetes/istio-auth.yaml": clusterroles.rbac.authorization.k8s.io "istio-sidecar-injector-istio-system" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["configmaps"], APIGroups:["*"], Verbs:["get"]} PolicyRule{Resources:["configmaps"], APIGroups:["*"], Verbs:["list"]} PolicyRule{Resources:["configmaps"], APIGroups:["*"], Verbs:["watch"]}] user=&{ldemailly@google.com [system:authenticated] map[authenticator:[GKE]]} ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{Resources:["selfsubjectrulesreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*" "/version"], Verbs:["get"]}] ruleResolutionErrors=[]
Error from server (Forbidden): error when applying patch:
{"metadata":{"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"rbac.authorization.k8s.io/v1beta1\",\"kind\":\"ClusterRole\",\"metadata\":{\"annotations\":{},\"name\":\"istio-sidecar-istio-system\",\"namespace\":\"\"},\"rules\":[{\"apiGroups\":[\"extensions\"],\"resources\":[\"thirdpartyresources\",\"ingresses\"],\"verbs\":[\"get\",\"watch\",\"list\",\"update\"]},{\"apiGroups\":[\"\"],\"resources\":[\"configmaps\",\"pods\",\"endpoints\",\"services\"],\"verbs\":[\"get\",\"watch\",\"list\"]}]}\n"},"namespace":""},"rules":[{"apiGroups":["extensions"],"resources":["thirdpartyresources","ingresses"],"verbs":["get","watch","list","update"]},{"apiGroups":[""],"resources":["configmaps","pods","endpoints","services"],"verbs":["get","watch","list"]}]}
to:
&{0xc421a9a3c0 0xc421ad7f80 istio-sidecar-istio-system istio-0.6.0/install/kubernetes/istio-auth.yaml 0xc420a02258 0xc421bdc008 3264 false}
for: "istio-0.6.0/install/kubernetes/istio-auth.yaml": clusterroles.rbac.authorization.k8s.io "istio-sidecar-istio-system" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["thirdpartyresources"], APIGroups:["extensions"], Verbs:["get"]} PolicyRule{Resources:["thirdpartyresources"], APIGroups:["extensions"], Verbs:["watch"]} PolicyRule{Resources:["thirdpartyresources"], APIGroups:["extensions"], Verbs:["list"]} PolicyRule{Resources:["thirdpartyresources"], APIGroups:["extensions"], Verbs:["update"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["get"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["watch"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["list"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["update"]} PolicyRule{Resources:["configmaps"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["configmaps"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["configmaps"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["list"]}] user=&{ldemailly@google.com [system:authenticated] map[authenticator:[GKE]]} ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{Resources:["selfsubjectrulesreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*" "/version"], Verbs:["get"]}] ruleResolutionErrors=[]