Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Istio 1.4 ingress-gateway RBAC not found issue #19371
The error that my Istio-ingressgateway pod is logging is:
error email@example.com+incompatible/tools/cache/reflector.go:98: Failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:istio-system:istio-ingressgateway-service-account" cannot list resource "secrets" in API group "" in the namespace "istio-system": RBAC: role.rbac.authorization.k8s.io "istio-ingressgateway-sds" not found
Steps to reproduce the bug
Version (include the output of
How was Istio installed?
istioctl manifest apply
Then followed this along with cert manager steps for v0.12: https://istio.io/docs/tasks/traffic-management/ingress/ingress-certmgr/#configuring-dns-name-and-gateway
AKS - Azure
Looks like its not creating the role properly. We should see:
created based on the command above. Can you check that the role exists?
Ok here it is: kubectl describe rolebinding istio-ingressgateway-sds -n istio-system
Then when running: kubectl get role -n istio-system
Ok the istioctl command you mean. Those flags were based off that Istio ingress-certmgr article and then the last four flags were just what I figured I would need to pass through to have them features. Previously I installed istio 1.1 via Helm earlier this year but opted for istio 1.4 via istioctl this time around.
The installation was done just yesterday and dont believe i've removed anything, either way, do you foresee any issues running the below manually with kubectl apply?
Thanks @howardjohn !!
@richardwxn I confirmed the role shows up from
Yep me either @so-jelly:
istioctl version && istioctl manifest generate | grep -i "Kind: Role" client version: 1.4.2 control plane version: 1.4.2 data plane version: 1.4.2 (14 proxies)
Applying the role manually seems to work, but actually istioctl is not creating the required Role.
I still see this with 1.4.3
Completely deleted the
Using istio-operator if thats relevant