Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Citadel requires k8s namespace read permissions but does not have them #15115

Closed
Monkeyanator opened this issue Jun 24, 2019 · 2 comments
Closed

Citadel requires k8s namespace read permissions but does not have them #15115

Monkeyanator opened this issue Jun 24, 2019 · 2 comments
Labels
area/security

Comments

@Monkeyanator
Copy link
Contributor

Bug description
To determine whether or not a given namespace should be Citadel-managed, if the listened-namespaces flag is not used and explicit-opt-in is enabled, we must check the namespace's labels for istio-managed. However, Citadel does not currently have the privileges to read cluster namespace resources.

Affected product area (please put an X in all that apply)

[ ] Configuration Infrastructure
[ ] Docs
[ ] Installation
[ ] Networking
[ ] Performance and Scalability
[ ] Policies and Telemetry
[X] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastrcture

Expected behavior
Citadel should retrieve an object's namespace and inspect its labels to determine whether or not a namespace should be "istio-managed".

Steps to reproduce the bug
Run Citadel with configuration flag --explicit-opt-in=true and put a log statement in the failure case where Citadel attempts to retrieve namespace information for an object. Should encounter an insufficient permissions failure.

Version (include the output of istioctl version --remote and kubectl version)

Client Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.0", GitCommit:"e8462b5b5dc2584fdcd18e6bcfe9f1e4d970a529", GitTreeState:"clean", BuildDate:"2019-06-19T16:40:16Z", GoVersion:"go1.12.5", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"12+", GitVersion:"v1.12.8-gke.10", GitCommit:"f53039cc1e5295eed20969a4f10fb6ad99461e37", GitTreeState:"clean", BuildDate:"2019-06-19T20:48:40Z", GoVersion:"go1.10.8b4", Compiler:"gc", Platform:"linux/amd64"}```

```istioctl version
client version: 1.2.0```


**How was Istio installed?**
Ran `make installgen` and then `kubectl create -f install/kubernetes/istio-demo-auth.yaml `

**Environment where bug was observed (cloud vendor, OS, etc)**
GKE
@Monkeyanator Monkeyanator mentioned this issue Jun 24, 2019
Merged
@elevran
Copy link
Contributor

elevran commented Aug 4, 2019

@Monkeyanator is this still needed, given that #15113 is merged and -explicit-opt-in is being deprecated in #15503?

@Monkeyanator
Copy link
Contributor Author

Nope, this should be safe to close 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Monkeyanator @elevran @istio-testing