Canary uninstall removes Istio service account. #30441
Labels
area/upgrade
Issues related to upgrades
lifecycle/automatically-closed
Indicates a PR or issue that has been closed automatically.
lifecycle/stale
Indicates a PR or issue hasn't been manipulated by an Istio team member for a while
Milestone
Bug description
I was trying out the canary install method. With two installs on a cluster, one 1.7.6 version installed with istioctl without a revision and one with a revision specified (version 1.8.2), deleting the revisioned install seems to remove the service account associated globally with Istio. The relevant lines in the istioctl output when running the uninstall are:
This caused the existing 1.7.6 istiod deployment to become unauthenticated with the k8s api, breaking new sidecar deployments which couldn't talk to istiod.
Re-running the in-place upgrade for 1.7.6 after the service account was deleted seemed to fix the problem (after a restart of istiod), as it re-created the service account. The relevant service account objects and their lifetime as reported by kubectl also indicate that the service account was erroneously deleted (from
kubectl get serviceaccounts
):Am I doing something wrong with the canary install? From the documentation, I was under the impression that running
istioctl install --set revision=<rev>
andistioctl x uninstall --revision <rev>
for a specific revision should not impact an existing install in any way?Thanks!
[ ] Docs
[ ] Installation
[ ] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
[x] Upgrade
Expected behavior
Installing/Uninstalling canary installs has no affect on existing installs.
Steps to reproduce the bug
Version (include the output of
istioctl version --remote
andkubectl version --short
andhelm version --short
if you used Helm)Istio: 1.7.6/1.8.2
kubectl:
How was Istio installed?
istioctl (with and without canary revision)
Environment where the bug was observed (cloud vendor, OS, etc)
GKE
The text was updated successfully, but these errors were encountered: