New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
system:serviceaccount:default:istio-pilot-service-account" cannot create customresourcedefinitions.apiextensions.k8s.io at the cluster scope #572
Comments
Thx for trying istio out, can you file your issue in this looks like an rbac/rule issue we think we fixed in latest code |
I have the same issue, there was another recent change in the pilot code that is not covered by the latest rbac rules. |
The workaround is to give the pilot service account cluster-admin role:
If deploying istio in a different namespace than "default", replace "default" in "system:serviceaccount:default:istio-pilot-service-account" with the actual namespace. |
What k8s version do you have? I started getting this with 1.7.3. although all RBAC rules are in place. |
@andraxylia we may need to add |
The CDR permissions are defined here: https://github.com/istio/istio/blob/master/install/kubernetes/istio-rbac-beta.yaml#L15 |
Can you also try the command below), as described here, and let me know if it fixes the problem?
|
@andraxylia it is weird as we already defined the CDR permission already. Did you find which resource need to depend on CDR? I did not found the template where defined the CDR resources. |
Have you tried the command above, if you are using GKE? If you are using another k8s, just replace --user= ... with your actual user. |
@andraxylia I did not encounter this problem, just curious why failed even we have already defined the CDR permission for the user of istio-pilot. Also I did not find which template in istio is using CDR |
Pilot and mixer will use CRDs (Custom Resource Definitions). |
…io#572) * Add the concept of strict selector evaluation: when eval is not strict we allow selector evaluation to fail but report success in config resolution, returning as many configs as we have. Otherwise we fail resolution. * Add strict to ResolveUnconditional too, edit the error message about the missing identity attribute Former-commit-id: ef968bb12a32c9a34be266cc65c3d1bed54c61e8
* Add the concept of strict selector evaluation: when eval is not strict we allow selector evaluation to fail but report success in config resolution, returning as many configs as we have. Otherwise we fail resolution. * Add strict to ResolveUnconditional too, edit the error message about the missing identity attribute Former-commit-id: 4133437e6cef106028216dbfcfbb6bf8912eace6
* Add a Readme.md file for the MCP protocol. (istio#565) * Add a Readme.md file for the MCP protocol. * Add a link to the XDS protocol. * source_ip field is bool (istio#568) * source_ip field is bool - on the envoy side the source_ip field is used as an indicator to determine whether or not to use it as the hash value. https://github.com/envoyproxy/envoy/blob/2c3c3e7546451a03cf4b7e9036ee48dda26fe49c/api/envoy/api/v2/route/route.proto#L535 * field now called use_source_ip * Fix typos in comments. (istio#571)
when I do "kubectl apply -f istio.yaml",It cann't work .How can I fix it
The text was updated successfully, but these errors were encountered: