As per the issue title, basically following the current clustermesh guide (1.7 or earlier, and 1.8 as of today), it is easy to miss that global.identityAllocationMode is set to crd by default. If this is not reconfigured to kvstore then identities for pods in remote clusters will not be propagated to other clusters, so cross-cluster policy will not work correctly.
Potential mitigations:
- Mention in clustermesh documentation to enable this option
- Auto-enable this option in helm charts if
global.etcd.enabled is set to true
As per the issue title, basically following the current clustermesh guide (1.7 or earlier, and 1.8 as of today), it is easy to miss that
global.identityAllocationModeis set tocrdby default. If this is not reconfigured tokvstorethen identities for pods in remote clusters will not be propagated to other clusters, so cross-cluster policy will not work correctly.Potential mitigations:
global.etcd.enabledis set to true