-
Notifications
You must be signed in to change notification settings - Fork 8.1k
Description
I manually removed some service account from istio-system namespace, but the associated secret was not deleted by CA.
It seems that the RBAC rule for CA does not include "delete", which caused an error in CA when it tries to delete the secret:
2018-03-14T16:48:26.944011Z error Failed to delete Istio secret for service account "istio-sidecar-injector-service-account" in namespace "istio-system" (error: secrets "istio.istio-sidecar-injector-service-account" is forbidden: User "system:serviceaccount:istio-system:istio-ca-service-account" cannot delete secrets in the namespace "istio-system": Unknown user "system:serviceaccount:istio-system:istio-ca-service-account")
However, even if RBAC is fixed. The secret is recreated after deletion by the controller. It seems that the code is blindly recreating the deleted secret even if the associated service account has been removed.
2018-03-14T16:54:04.911551Z info Istio secret for service account "istio-sidecar-injector-service-account" in namespace "istio-system" has been deleted
2018-03-14T16:54:04.912123Z info Re-create deleted Istio secret
2018-03-14T16:54:05.446121Z info Istio secret for service account "istio-sidecar-injector-service-account" in namespace "istio-system" has been created