Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

system:serviceaccount:default:istio-pilot-service-account" cannot create customresourcedefinitions.apiextensions.k8s.io at the cluster scope #572

Closed
rainard opened this issue Aug 17, 2017 · 11 comments
Closed

system:serviceaccount:default:istio-pilot-service-account" cannot create customresourcedefinitions.apiextensions.k8s.io at the cluster scope #572

rainard opened this issue Aug 17, 2017 · 11 comments
Assignees
@andraxylia
Milestone
0.2

Comments

@rainard
Copy link

rainard commented Aug 17, 2017
edited

when I do "kubectl apply -f istio.yaml",It cann't work .How can I fix it

default       istio-egress-261638103-bdwr3            1/1       Running                            
default       istio-ingress-4062434106-x5njq          1/1       Running                         
default       istio-mixer-2284716121-vx5kn            2/2       Running                    
default       istio-pilot-3717782336-dvnf3            0/1       CrashLoopBackOff   12     
#kubectl logs  istio-pilot-3717782336-dvnf3    

I0817 08:18:07.809503     123 main.go:79] mesh configuration (*istio_proxy_v1_config.ProxyMeshConfig)(0xc420090f00)(egress_proxy_address:"istio-egress:80" discovery_address:"istio-pilot:8080" mixer_address:"istio-mixer:9091" zipkin_address:"zipkin:9411" statsd_udp_address:"istio-mixer:9125" proxy_listen_port:15001 proxy_admin_port:15000 drain_duration:<seconds:2 > parent_shutdown_duration:<seconds:3 > istio_service_cluster:"istio-proxy" discovery_refresh_delay:<seconds:1 > connect_timeout:<seconds:1 > ingress_class:"istio" ingress_service:"istio-ingress" ingress_controller_mode:STRICT auth_certs_path:"/etc/certs" )
Error: failed to register custom resources. User "system:serviceaccount:default:istio-pilot-service-account" cannot create customresourcedefinitions.apiextensions.k8s.io at the cluster scope. (post customresourcedefinitions.apiextensions.k8s.io)

........

 failed to register custom resources. User "system:serviceaccount:default:istio-pilot-service-account" cannot create customresourcedefinitions.apiextensions.k8s.io at the cluster scope. (post customresourcedefinitions.apiextensions.k8s.io)
@ldemailly
Copy link
Contributor

Thx for trying istio out, can you file your issue in
https://github.com/istio/issues/issues
also indicate the exact versions you are using ?

this looks like an rbac/rule issue we think we fixed in latest code

@andraxylia
Copy link
Contributor

I have the same issue, there was another recent change in the pilot code that is not covered by the latest rbac rules.

@andraxylia andraxylia reopened this Aug 18, 2017
@andraxylia
Copy link
Contributor

andraxylia commented Aug 18, 2017
edited by gyliu513

The workaround is to give the pilot service account cluster-admin role:

kubectl create clusterrolebinding cluster-admin-binding-2   --clusterrole=cluster-admin   --user=system:serviceaccount:default:istio-pilot-service-account

If deploying istio in a different namespace than "default", replace "default" in "system:serviceaccount:default:istio-pilot-service-account" with the actual namespace.

@andraxylia
Copy link
Contributor

What k8s version do you have? I started getting this with 1.7.3. although all RBAC rules are in place.

@ldemailly ldemailly added this to the Istio 0.2 milestone Aug 18, 2017
@gyliu513
Copy link
Member

@andraxylia we may need to add cdr to the role of isto-pilot here https://github.com/istio/istio/blob/master/install/kubernetes/istio-rbac-beta.yaml#L21 , but I did not found where we defined the cdr, can you point this out? Thanks.

@andraxylia
Copy link
Contributor

The CDR permissions are defined here:

https://github.com/istio/istio/blob/master/install/kubernetes/istio-rbac-beta.yaml#L15

@andraxylia
Copy link
Contributor

andraxylia commented Aug 22, 2017
edited by gyliu513

Can you also try the command below), as described here, and let me know if it fixes the problem?

(https://github.com/kelseyhightower/istio-ingress-tutorial/blob/master/docs/03-kubernetes-infrastructure.md)

kubectl create clusterrolebinding cluster-admin-binding \
  --clusterrole=cluster-admin \
  --user=$(gcloud config get-value core/account)

@gyliu513
Copy link
Member

@andraxylia it is weird as we already defined the CDR permission already. Did you find which resource need to depend on CDR? I did not found the template where defined the CDR resources.

@andraxylia
Copy link
Contributor

Have you tried the command above, if you are using GKE? If you are using another k8s, just replace --user= ... with your actual user.

@gyliu513
Copy link
Member

@andraxylia I did not encounter this problem, just curious why failed even we have already defined the CDR permission for the user of istio-pilot. Also I did not find which template in istio is using CDR

@andraxylia
Copy link
Contributor

Pilot and mixer will use CRDs (Custom Resource Definitions).
I will close this issue for now, please re-open if you still have it.

mandarjog pushed a commit to mandarjog/istio that referenced this issue Oct 30, 2017
@ZackButcher
Introduce "strict" selector evaluation during config resolution. (ist…
d6fb5ef 
…io#572)

* Add the concept of strict selector evaluation: when eval is not strict we allow selector evaluation to fail but report success in config resolution, returning as many configs as we have. Otherwise we fail resolution.

* Add strict to ResolveUnconditional too, edit the error message about the missing identity attribute


Former-commit-id: ef968bb12a32c9a34be266cc65c3d1bed54c61e8
mandarjog pushed a commit that referenced this issue Oct 31, 2017
@ZackButcher
Introduce "strict" selector evaluation during config resolution. (#572)
d0cffe6 
* Add the concept of strict selector evaluation: when eval is not strict we allow selector evaluation to fail but report success in config resolution, returning as many configs as we have. Otherwise we fail resolution.

* Add strict to ResolveUnconditional too, edit the error message about the missing identity attribute


Former-commit-id: 4133437e6cef106028216dbfcfbb6bf8912eace6
mandarjog pushed a commit that referenced this issue Oct 31, 2017
@lookuptable
Set cluster SSLContext for Ingress when Istio auth is enabled (#572)
10cce05
rshriram pushed a commit to rshriram/istio that referenced this issue Jul 31, 2018
@zachgersh @rshriram
Bump release-1.0 (istio#572)
7026625 
* Add a Readme.md file for the MCP protocol. (istio#565)

* Add a Readme.md file for the MCP protocol.

* Add a link to the XDS protocol.

* source_ip field is bool (istio#568)

* source_ip field is bool

- on the envoy side the source_ip field is
used as an indicator to determine whether or not
to use it as the hash value.

https://github.com/envoyproxy/envoy/blob/2c3c3e7546451a03cf4b7e9036ee48dda26fe49c/api/envoy/api/v2/route/route.proto#L535

* field now called use_source_ip

* Fix typos in comments. (istio#571)
howardjohn pushed a commit to howardjohn/istio that referenced this issue Jan 12, 2020
@richardwxn @istio-testing
move env to correct place (istio#572)
f47ec3d
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@andraxylia andraxylia

Labels
None yet
Projects
None yet
Milestone
0.2
Development

No branches or pull requests
4 participants
@ldemailly @gyliu513 @andraxylia @rainard