You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Bug description
To determine whether or not a given namespace should be Citadel-managed, if the listened-namespaces flag is not used and explicit-opt-in is enabled, we must check the namespace's labels for istio-managed. However, Citadel does not currently have the privileges to read cluster namespace resources.
Affected product area (please put an X in all that apply)
[ ] Configuration Infrastructure
[ ] Docs
[ ] Installation
[ ] Networking
[ ] Performance and Scalability
[ ] Policies and Telemetry
[X] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastrcture
Expected behavior
Citadel should retrieve an object's namespace and inspect its labels to determine whether or not a namespace should be "istio-managed".
Steps to reproduce the bug
Run Citadel with configuration flag --explicit-opt-in=true and put a log statement in the failure case where Citadel attempts to retrieve namespace information for an object. Should encounter an insufficient permissions failure.
Version (include the output of istioctl version --remote and kubectl version)
Client Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.0", GitCommit:"e8462b5b5dc2584fdcd18e6bcfe9f1e4d970a529", GitTreeState:"clean", BuildDate:"2019-06-19T16:40:16Z", GoVersion:"go1.12.5", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"12+", GitVersion:"v1.12.8-gke.10", GitCommit:"f53039cc1e5295eed20969a4f10fb6ad99461e37", GitTreeState:"clean", BuildDate:"2019-06-19T20:48:40Z", GoVersion:"go1.10.8b4", Compiler:"gc", Platform:"linux/amd64"}```
```istioctl version
client version: 1.2.0```
**How was Istio installed?**
Ran `make installgen` and then `kubectl create -f install/kubernetes/istio-demo-auth.yaml `
**Environment where bug was observed (cloud vendor, OS, etc)**
GKE
The text was updated successfully, but these errors were encountered:
Bug description
To determine whether or not a given namespace should be Citadel-managed, if the
listened-namespaces
flag is not used andexplicit-opt-in
is enabled, we must check the namespace's labels for istio-managed. However, Citadel does not currently have the privileges to read cluster namespace resources.Affected product area (please put an X in all that apply)
[ ] Configuration Infrastructure
[ ] Docs
[ ] Installation
[ ] Networking
[ ] Performance and Scalability
[ ] Policies and Telemetry
[X] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastrcture
Expected behavior
Citadel should retrieve an object's namespace and inspect its labels to determine whether or not a namespace should be "istio-managed".
Steps to reproduce the bug
Run Citadel with configuration flag
--explicit-opt-in=true
and put a log statement in the failure case where Citadel attempts to retrieve namespace information for an object. Should encounter an insufficient permissions failure.Version (include the output of
istioctl version --remote
andkubectl version
)The text was updated successfully, but these errors were encountered: