You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Bug description
In 1.3.0 running Citadel in a specific namespace without cluster wide roles no longer works.
istio.io/istio/security/pkg/k8s/controller/workloadsecret.go:231: Failed to list *v1.Namespace: namespaces is forbidden: User \"system:serviceaccount:my-namespace:istio-citadel-service-account\" cannot list namespaces at the cluster scope: no RBAC policy matched
It seems to try to list namespaces cluster wide, even though it was started with --listened-namespaces=
Affected product area (please put an X in all that apply)
[ ] Configuration Infrastructure
[ ] Docs
[x] Installation
[ ] Networking
[ ] Performance and Scalability
[ ] Policies and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
Expected behavior
Tested with 1.2.5 an 1.2.6, where Citadel works as expected. This seems to be a breaking change from 1.2.6 to 1.3.0.
Steps to reproduce the bug
Setup the policies for istio citadel to only be Roles in a namespace (my-namespace) instead of ClusterRoles. Start Citadel with --listened-namespaces=my-namespace.
Version (include the output of istioctl version --remote and kubectl version)
1.3.0 of istio
How was Istio installed?
Only Citadel was installed. The sample yaml files were modified to use Roles instead of ClusterRole in order to only run citadel in a single namespace.
Environment where bug was observed (cloud vendor, OS, etc)
Openshift
The text was updated successfully, but these errors were encountered:
Indeed we are adding requirements of cluster role bindings for Citadel to
list the namespaces and then filter in client side based on namespaces
values.
New docs https://istio.io/docs/tasks/security/ca-namespace-targeting/
The functionality still works. Would that work for you? Or your case has
strict requirements to unable to accept cluster role binding for Citadel
listing namespaces?
On Mon, Sep 30, 2019 at 6:59 PM John Howard ***@***.***> wrote:
Root cause is #15503 <#15503>, from
some comments there looks like this replaces listened namespaces
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#17309?email_source=notifications&email_token=AAMVXB2ZWEII7JW2F42V653QMKVJZA5CNFSM4IZHBAKKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD77U7VI#issuecomment-536825813>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAMVXB37FWJX4HC6KVNBXG3QMKVJZANCNFSM4IZHBAKA>
.
Bug description
In 1.3.0 running Citadel in a specific namespace without cluster wide roles no longer works.
It seems to try to list namespaces cluster wide, even though it was started with
--listened-namespaces=
Affected product area (please put an X in all that apply)
[ ] Configuration Infrastructure
[ ] Docs
[x] Installation
[ ] Networking
[ ] Performance and Scalability
[ ] Policies and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
Expected behavior
Tested with 1.2.5 an 1.2.6, where Citadel works as expected. This seems to be a breaking change from 1.2.6 to 1.3.0.
Steps to reproduce the bug
Setup the policies for istio citadel to only be Roles in a namespace (
my-namespace
) instead of ClusterRoles. Start Citadel with--listened-namespaces=my-namespace
.Version (include the output of
istioctl version --remote
andkubectl version
)1.3.0 of istio
How was Istio installed?
Only Citadel was installed. The sample yaml files were modified to use Roles instead of ClusterRole in order to only run citadel in a single namespace.
Environment where bug was observed (cloud vendor, OS, etc)
Openshift
The text was updated successfully, but these errors were encountered: