Istio manager cannot list of create k8s TPR when RBAC enabled #327
Description
Seeing the following when running through the installation tutorial
I've run:
kubectl apply -f install/kubernetes/istio-rbac-beta.yaml
kubectl apply -f install/kubernetes/istio-auth.yaml
- k8s 1.6.4
- RBAC enabled
kubectl logs istio-manager-2910860705-c3zsh -c apiserver
I0526 03:10:04.952228 1 client.go:205] TPR "IstioConfig" is not ready (User "system:serviceaccount:default:istio-manager-service-account" cannot list istioconfigs.istio.io at the cluster scope. (get IstioConfigs.istio.io)). Waiting...
I0526 03:10:05.955367 1 client.go:205] TPR "IstioConfig" is not ready (User "system:serviceaccount:default:istio-manager-service-account" cannot list istioconfigs.istio.io at the cluster scope. (get IstioConfigs.istio.io)). Waiting...
Error: 2 errors occurred:
* failed to register Third-Party Resources. User "system:serviceaccount:default:istio-manager-service-account" cannot get thirdpartyresources.extensions at the cluster scope. (get thirdpartyresources.extensions istio-config.istio.io)
* failed to register Third-Party Resources. Failed to create all TPRs
The issue appears to be that the manager services are doing get at the cluster scope and we have a RoleBinding which is namespaced. Either you change the code to do a scoped get on namespace or change the following to a ClusterRoleBinding and add the namespace to the subject.
# Grant permissions to the Manager/discovery.
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: istio-manager-admin-role-binding
subjects:
- kind: ServiceAccount
name: istio-manager-service-account
roleRef:
kind: ClusterRole
name: istio-manager
apiGroup: rbac.authorization.k8s.io