Citadel can no longer run in a single namespace in 1.3.0 due to listing of namespaces #17309

eoftedal · 2019-09-23T06:56:10Z

Bug description
In 1.3.0 running Citadel in a specific namespace without cluster wide roles no longer works.

istio.io/istio/security/pkg/k8s/controller/workloadsecret.go:231: Failed to list *v1.Namespace: namespaces is forbidden: User \"system:serviceaccount:my-namespace:istio-citadel-service-account\" cannot list namespaces at the cluster scope: no RBAC policy matched

It seems to try to list namespaces cluster wide, even though it was started with --listened-namespaces=

Affected product area (please put an X in all that apply)

[ ] Configuration Infrastructure
[ ] Docs
[x] Installation
[ ] Networking
[ ] Performance and Scalability
[ ] Policies and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure

Expected behavior
Tested with 1.2.5 an 1.2.6, where Citadel works as expected. This seems to be a breaking change from 1.2.6 to 1.3.0.

Steps to reproduce the bug
Setup the policies for istio citadel to only be Roles in a namespace (my-namespace) instead of ClusterRoles. Start Citadel with --listened-namespaces=my-namespace.

Version (include the output of istioctl version --remote and kubectl version)
1.3.0 of istio

How was Istio installed?
Only Citadel was installed. The sample yaml files were modified to use Roles instead of ClusterRole in order to only run citadel in a single namespace.

Environment where bug was observed (cloud vendor, OS, etc)
Openshift

The text was updated successfully, but these errors were encountered:

howardjohn · 2019-10-01T01:59:43Z

Root cause is #15503, from some comments there looks like this is intended replaces listened namespaces long term?

incfly · 2019-10-01T02:55:44Z

Indeed we are adding requirements of cluster role bindings for Citadel to list the namespaces and then filter in client side based on namespaces values. New docs https://istio.io/docs/tasks/security/ca-namespace-targeting/ The functionality still works. Would that work for you? Or your case has strict requirements to unable to accept cluster role binding for Citadel listing namespaces?

…

On Mon, Sep 30, 2019 at 6:59 PM John Howard ***@***.***> wrote: Root cause is #15503 <#15503>, from some comments there looks like this replaces listened namespaces — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#17309?email_source=notifications&email_token=AAMVXB2ZWEII7JW2F42V653QMKVJZA5CNFSM4IZHBAKKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD77U7VI#issuecomment-536825813>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAMVXB37FWJX4HC6KVNBXG3QMKVJZANCNFSM4IZHBAKA> .

incfly · 2020-03-20T07:13:16Z

Closing as above

howardjohn added the area/security label Sep 23, 2019

howardjohn assigned incfly Oct 1, 2019

istio-policy-bot added the lifecycle/needs-triage label Oct 30, 2019

jwendell added the env/openshift label Nov 5, 2019

incfly closed this as completed Mar 20, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Citadel can no longer run in a single namespace in 1.3.0 due to listing of namespaces #17309

Citadel can no longer run in a single namespace in 1.3.0 due to listing of namespaces #17309

eoftedal commented Sep 23, 2019

howardjohn commented Oct 1, 2019 •

edited

incfly commented Oct 1, 2019 via email

incfly commented Mar 20, 2020

Citadel can no longer run in a single namespace in 1.3.0 due to listing of namespaces #17309

Citadel can no longer run in a single namespace in 1.3.0 due to listing of namespaces #17309

Comments

eoftedal commented Sep 23, 2019

howardjohn commented Oct 1, 2019 • edited

incfly commented Oct 1, 2019 via email

incfly commented Mar 20, 2020

howardjohn commented Oct 1, 2019 •

edited