Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Istio manager cannot list of create k8s TPR when RBAC enabled #327

Closed
lachie83 opened this issue May 26, 2017 · 6 comments

Comments

@lachie83
Copy link
Contributor

@lachie83 lachie83 commented May 26, 2017

Seeing the following when running through the installation tutorial
I've run:

kubectl apply -f install/kubernetes/istio-rbac-beta.yaml
kubectl apply -f install/kubernetes/istio-auth.yaml
  • k8s 1.6.4
  • RBAC enabled
kubectl logs istio-manager-2910860705-c3zsh -c apiserver
I0526 03:10:04.952228       1 client.go:205] TPR "IstioConfig" is not ready (User "system:serviceaccount:default:istio-manager-service-account" cannot list istioconfigs.istio.io at the cluster scope. (get IstioConfigs.istio.io)). Waiting...
I0526 03:10:05.955367       1 client.go:205] TPR "IstioConfig" is not ready (User "system:serviceaccount:default:istio-manager-service-account" cannot list istioconfigs.istio.io at the cluster scope. (get IstioConfigs.istio.io)). Waiting...
Error: 2 errors occurred:
* failed to register Third-Party Resources. User "system:serviceaccount:default:istio-manager-service-account" cannot get thirdpartyresources.extensions at the cluster scope. (get thirdpartyresources.extensions istio-config.istio.io)
* failed to register Third-Party Resources. Failed to create all TPRs

The issue appears to be that the manager services are doing get at the cluster scope and we have a RoleBinding which is namespaced. Either you change the code to do a scoped get on namespace or change the following to a ClusterRoleBinding and add the namespace to the subject.

# Grant permissions to the Manager/discovery.
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: istio-manager-admin-role-binding
subjects:
- kind: ServiceAccount
  name: istio-manager-service-account
roleRef:
  kind: ClusterRole
  name: istio-manager
  apiGroup: rbac.authorization.k8s.io
@lachie83

This comment has been minimized.

Copy link
Contributor Author

@lachie83 lachie83 commented May 26, 2017

Also seeing the same issue on the ingress RoleBinding

* failed to register Third-Party Resources. User "system:serviceaccount:default:istio-ingress-service-account" cannot get thirdpartyresources.extensions at the cluster scope. (get thirdpartyresources.extensions istio-config.istio.io)
* failed to register Third-Party Resources. Failed to create all TPRs
lachie83 added a commit to lachie83/istio that referenced this issue May 26, 2017
Bring alpha and beta rbac rules into sync
@ldemailly

This comment has been minimized.

Copy link
Contributor

@ldemailly ldemailly commented May 26, 2017

data point, with a similar setup (GKE 1.6.4 RBAC) I don't get that error but I had to do:

kubectl create clusterrolebinding ldemailly-cluster-admin-binding --clusterrole=cluster-admin --user=ldemailly@google.com

( per istio/old_issues_repo#18 )

@rootsongjc

This comment has been minimized.

Copy link
Member

@rootsongjc rootsongjc commented Jun 1, 2017

@lachie83 I came up with the same problem with you.
Your solution really works for me.

2017-06-01T09:38:23.925511925Z I0601 09:38:23.925310       1 client.go:205] TPR "IstioConfig" is not ready (User "system:serviceaccount:default:istio-manager-service-account" cannot list istioconfigs.istio.io at the cluster scope. (get IstioConfigs.istio.io)). Waiting...
2017-06-01T09:38:24.925792059Z Error: 2 errors occurred:
2017-06-01T09:38:24.925818126Z 
2017-06-01T09:38:24.925823562Z * failed to register Third-Party Resources. User "system:serviceaccount:default:istio-manager-service-account" cannot get thirdpartyresources.extensions at the cluster scope. (get thirdpartyresources.extensions istio-config.istio.io)
2017-06-01T09:38:24.925831028Z * failed to register Third-Party Resources. Failed to create all TPRs

When I use clusterrolebinding other than rolebinding, the problem solved.

My environment

  • Kubernetes 1.6.0
  • Bare Metal CentOS
  • RBAC enabled
@decker502

This comment has been minimized.

Copy link

@decker502 decker502 commented Jun 2, 2017

@lachie83 I came up with the same problem with you.
Your solution really works for me too.

My environment

Kubernetes 1.6.2
Bare Metal CoreOS
RBAC enabled

@jcantosz

This comment has been minimized.

Copy link
Contributor

@jcantosz jcantosz commented Jul 5, 2017

@lachie83 Thanks for posting that yaml
I found for Istio 1.6 replacing istio-manager with istio-pilot in that file allow my pods to run (previously ingress & pilot pods were crashing)

Here is a command to do that replacement: sed -i 's/istio-manager/istio-pilot/g' istio-0.1.6/install/kubernetes/istio-rbac-beta.yaml

lachie83 added a commit to lachie83/istio that referenced this issue Jul 7, 2017
Bring alpha and beta rbac rules into sync
@ldemailly

This comment has been minimized.

Copy link
Contributor

@ldemailly ldemailly commented Jul 18, 2017

@jcantosz
This is very strange because 0.1.6 already has that change, the sed you mention is a noop

$ grep -i manager istio-0.1.6/install/kubernetes/istio-rbac-beta.yaml
# nothing - there is no "manager" in this file at all
$ grep -i pilot istio-0.1.6/install/kubernetes/istio-rbac-beta.yaml
  name: istio-pilot
# Grant permissions to the Pilot/discovery.
  name: istio-pilot-admin-role-binding
  name: istio-pilot-service-account
  name: istio-pilot
# Grant permissions to the Pilot/discovery.
  name: istio-pilot
andraxylia added a commit that referenced this issue Jul 19, 2017
…333)

* Fixes #327
Bring alpha and beta rbac rules into sync

* handle manager->pilot rename

* Revert "handle manager->pilot rename"

This reverts commit ffcac4d.

* removed extra comments that were not originally present
rshriram pushed a commit that referenced this issue Oct 30, 2017
…333)

* Fixes #327
Bring alpha and beta rbac rules into sync

* handle manager->pilot rename

* Revert "handle manager->pilot rename"

This reverts commit ffcac4d.

* removed extra comments that were not originally present


Former-commit-id: 84031fe
vbatts pushed a commit to vbatts/istio that referenced this issue Oct 31, 2017
…stio#333)

* Fixes istio#327
Bring alpha and beta rbac rules into sync

* handle manager->pilot rename

* Revert "handle manager->pilot rename"

This reverts commit 72aa8c5b572dedd4bf87e43750975f3955954dea [formerly ffcac4d].

* removed extra comments that were not originally present


Former-commit-id: 84031fe
mandarjog pushed a commit that referenced this issue Nov 2, 2017
…333)

* Fixes #327
Bring alpha and beta rbac rules into sync

* handle manager->pilot rename

* Revert "handle manager->pilot rename"

This reverts commit 72aa8c5b572dedd4bf87e43750975f3955954dea [formerly ffcac4d].

* removed extra comments that were not originally present


Former-commit-id: 84031fe
guptasu pushed a commit to guptasu/istio that referenced this issue Jun 11, 2018
kyessenov pushed a commit to kyessenov/istio that referenced this issue Aug 13, 2018
Automatic merge from submit-queue.

[DO NOT MERGE] Auto PR to update dependencies of mixerclient

This PR will be merged automatically once checks are successful.
```release-note
none
```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
5 participants
You can’t perform that action at this time.