New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Constantly get error message: Mesh-wide mTLS status feature disabled #1337
Comments
@jhasselgren I suspect this is related the specific built of AWS EKS. I need to investigate more. |
I've used for my tests a kubernetes version kubernetes v1.11.0+d4cacc0 This is a starting point, just to spot if the potential issue was in Istio / Kiali code base of it's related to the platform as it looks like. I'm trying to setup a AWS EKS environment to also confirm/reproduce the issue. |
Ok, I can get the same 404 error in the API. Thanks for your time reporting this issue @jhasselgren, it was a tricky one as Kiali was using a side effect that worked in all k8s we tested but not on AWS EKS. |
Looks like Kiali was taking advantage of something that was classified as a security vulnerability: The CVE (apparently, still undisclosed): https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11247 A related article: https://www.stackrox.com/post/2019/08/how-to-remediate-kubernetes-security-vulnerability-cve-2019-11247/ Indeed the CVE makes sense. Why see a cluster wide resource if you shouldn't have access? :/ So this is not specific to AKS, but a broader issue that will be eventually fixed in all k8s maintained versions and flavors (and I guess it's going to be soon). Which means that we must stop using these kind of queries to the cluster API. |
@jhasselgren latest images from master should fix the issue. Please let us know if there is any additional comment on this. Closed by #1346 |
Tried it and it works like a charm, good work with fixing the problem! |
Describe the bug
After the summer we suddenly get the following error message in Kiali in all of our environments (dev, test, prod):
After some troubleshooting done in Kiali Forum
This is our findings:
Kiali makes the following call:
And gets a 404 as a reply
But if we makes the same call and ignoring the namespace part we get a reply
And the reason for this looks to be that meshpolicies in APIResourceList has "namespaced": false
Versions used
Kiali: 1.1.0 & 1.2.0
Istio: 1.2.0
Kubernetes flavour and version: version: v1.11.10-eks-f12431 (AWS EKS)
Expected behavior
That Kiali should be able to retrive the default meshpolicy with no errors
The text was updated successfully, but these errors were encountered: