New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

system:serviceaccount:default:istio-pilot-service-account" cannot create customresourcedefinitions.apiextensions.k8s.io at the cluster scope #572

Closed
rainard opened this Issue Aug 17, 2017 · 11 comments

Comments

Projects
None yet
4 participants
@rainard
Copy link

rainard commented Aug 17, 2017

when I do "kubectl apply -f istio.yaml",It cann't work .How can I fix it

default       istio-egress-261638103-bdwr3            1/1       Running                            
default       istio-ingress-4062434106-x5njq          1/1       Running                         
default       istio-mixer-2284716121-vx5kn            2/2       Running                    
default       istio-pilot-3717782336-dvnf3            0/1       CrashLoopBackOff   12     
#kubectl logs  istio-pilot-3717782336-dvnf3    

I0817 08:18:07.809503     123 main.go:79] mesh configuration (*istio_proxy_v1_config.ProxyMeshConfig)(0xc420090f00)(egress_proxy_address:"istio-egress:80" discovery_address:"istio-pilot:8080" mixer_address:"istio-mixer:9091" zipkin_address:"zipkin:9411" statsd_udp_address:"istio-mixer:9125" proxy_listen_port:15001 proxy_admin_port:15000 drain_duration:<seconds:2 > parent_shutdown_duration:<seconds:3 > istio_service_cluster:"istio-proxy" discovery_refresh_delay:<seconds:1 > connect_timeout:<seconds:1 > ingress_class:"istio" ingress_service:"istio-ingress" ingress_controller_mode:STRICT auth_certs_path:"/etc/certs" )
Error: failed to register custom resources. User "system:serviceaccount:default:istio-pilot-service-account" cannot create customresourcedefinitions.apiextensions.k8s.io at the cluster scope. (post customresourcedefinitions.apiextensions.k8s.io)

........

 failed to register custom resources. User "system:serviceaccount:default:istio-pilot-service-account" cannot create customresourcedefinitions.apiextensions.k8s.io at the cluster scope. (post customresourcedefinitions.apiextensions.k8s.io)
@ldemailly

This comment has been minimized.

Copy link
Contributor

ldemailly commented Aug 17, 2017

Thx for trying istio out, can you file your issue in
https://github.com/istio/issues/issues
also indicate the exact versions you are using ?

this looks like an rbac/rule issue we think we fixed in latest code

@ldemailly ldemailly closed this Aug 17, 2017

@andraxylia

This comment has been minimized.

Copy link
Contributor

andraxylia commented Aug 18, 2017

I have the same issue, there was another recent change in the pilot code that is not covered by the latest rbac rules.

@andraxylia andraxylia reopened this Aug 18, 2017

@andraxylia

This comment has been minimized.

Copy link
Contributor

andraxylia commented Aug 18, 2017

The workaround is to give the pilot service account cluster-admin role:

kubectl create clusterrolebinding cluster-admin-binding-2   --clusterrole=cluster-admin   --user=system:serviceaccount:default:istio-pilot-service-account

If deploying istio in a different namespace than "default", replace "default" in "system:serviceaccount:default:istio-pilot-service-account" with the actual namespace.

@andraxylia

This comment has been minimized.

Copy link
Contributor

andraxylia commented Aug 18, 2017

What k8s version do you have? I started getting this with 1.7.3. although all RBAC rules are in place.

@ldemailly ldemailly added the install label Aug 18, 2017

@ldemailly ldemailly added this to the Istio 0.2 milestone Aug 18, 2017

@gyliu513

This comment has been minimized.

Copy link
Member

gyliu513 commented Aug 22, 2017

@andraxylia we may need to add cdr to the role of isto-pilot here https://github.com/istio/istio/blob/master/install/kubernetes/istio-rbac-beta.yaml#L21 , but I did not found where we defined the cdr, can you point this out? Thanks.

@andraxylia

This comment has been minimized.

Copy link
Contributor

andraxylia commented Aug 22, 2017

@andraxylia

This comment has been minimized.

Copy link
Contributor

andraxylia commented Aug 22, 2017

Can you also try the command below), as described here, and let me know if it fixes the problem?

(https://github.com/kelseyhightower/istio-ingress-tutorial/blob/master/docs/03-kubernetes-infrastructure.md)

kubectl create clusterrolebinding cluster-admin-binding \
  --clusterrole=cluster-admin \
  --user=$(gcloud config get-value core/account)
@gyliu513

This comment has been minimized.

Copy link
Member

gyliu513 commented Aug 23, 2017

@andraxylia it is weird as we already defined the CDR permission already. Did you find which resource need to depend on CDR? I did not found the template where defined the CDR resources.

@andraxylia

This comment has been minimized.

Copy link
Contributor

andraxylia commented Aug 23, 2017

Have you tried the command above, if you are using GKE? If you are using another k8s, just replace --user= ... with your actual user.

@gyliu513

This comment has been minimized.

Copy link
Member

gyliu513 commented Aug 23, 2017

@andraxylia I did not encounter this problem, just curious why failed even we have already defined the CDR permission for the user of istio-pilot. Also I did not find which template in istio is using CDR

@andraxylia

This comment has been minimized.

Copy link
Contributor

andraxylia commented Aug 23, 2017

Pilot and mixer will use CRDs (Custom Resource Definitions).
I will close this issue for now, please re-open if you still have it.

@andraxylia andraxylia closed this Aug 23, 2017

mandarjog pushed a commit to mandarjog/istio that referenced this issue Oct 30, 2017

Zack
Introduce "strict" selector evaluation during config resolution. (ist…
…io#572)

* Add the concept of strict selector evaluation: when eval is not strict we allow selector evaluation to fail but report success in config resolution, returning as many configs as we have. Otherwise we fail resolution.

* Add strict to ResolveUnconditional too, edit the error message about the missing identity attribute


Former-commit-id: ef968bb12a32c9a34be266cc65c3d1bed54c61e8

mandarjog pushed a commit that referenced this issue Oct 31, 2017

Zack
Introduce "strict" selector evaluation during config resolution. (#572)
* Add the concept of strict selector evaluation: when eval is not strict we allow selector evaluation to fail but report success in config resolution, returning as many configs as we have. Otherwise we fail resolution.

* Add strict to ResolveUnconditional too, edit the error message about the missing identity attribute


Former-commit-id: 4133437e6cef106028216dbfcfbb6bf8912eace6

rshriram added a commit to rshriram/istio that referenced this issue Jul 31, 2018

Bump release-1.0 (istio#572)
* Add a Readme.md file for the MCP protocol. (istio#565)

* Add a Readme.md file for the MCP protocol.

* Add a link to the XDS protocol.

* source_ip field is bool (istio#568)

* source_ip field is bool

- on the envoy side the source_ip field is
used as an indicator to determine whether or not
to use it as the hash value.

https://github.com/envoyproxy/envoy/blob/2c3c3e7546451a03cf4b7e9036ee48dda26fe49c/api/envoy/api/v2/route/route.proto#L535

* field now called use_source_ip

* Fix typos in comments. (istio#571)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment