Updated v1alpha to use fine grain RBAC rules#272
Conversation
|
Thanks for your pull request. It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please visit https://cla.developers.google.com/ to sign. Once you've signed, please reply here (e.g.
|
|
@costinm @andraxylia can you guys confirm if this is okay? |
| # If using minikube, start with '--extra-config=apiserver.Authorization.Mode=RBAC' | ||
| # | ||
| # NOTE: If deploying istio to a namespace other than 'default' then change the | ||
| # ClusterRoleBinding namspace target appropriately. |
There was a problem hiding this comment.
If you change ClusterRoleBinding to simply RoleBinding, then you don't need to specify namespace. The binding will be scoped to whatever namespace kubectl is using.
There was a problem hiding this comment.
So, keep in mind that @dcberg tweaked the existing RBAC beta to work on RBAC v1alpha1. This is what he got working. So, before we suggest alternatives, we need to make sure that this would work on v1alpha1. I remember trying the RoleBinding and it didn't work (IIRC).
There was a problem hiding this comment.
In v1aplha1 RoleBinding does not work with ClusterRoles.
| resources: ["thirdpartyresources", "thirdpartyresources.extensions", "ingresses"] | ||
| verbs: ["*"] | ||
| - apiGroups: [""] | ||
| resources: ["configmaps", "endpoints", "pods", "services", "namespaces"] |
There was a problem hiding this comment.
Are you letting the manager to listen on all namespaces? Otherwise the manager don't need access to namespace objects.
There was a problem hiding this comment.
The problem I hit without adding "namespaces" was that istioctl requests would fail because the manager was trying to list namespaces and this was failing due to rbac.
There was a problem hiding this comment.
istioctl create -f samples/apps/bookinfo/route-rule-all-v1.yaml Error: an error on the server ("namespace \"istio\" not present") has prevented the request from succeeding
There was a problem hiding this comment.
2017-05-15T18:23:14.640098266Z I0515 18:23:14.639846 1 config.go:41] Parsed route-rule productpage-default into istio.proxy.v1.config.RouteRule destination:"productpage.istio.svc.cluster.local" precedence:1 route:<tags:<key:"version" value:"v1" > > 2017-05-15T18:23:14.640140163Z I0515 18:23:14.639899 1 handler.go:78] Adding config to Istio registry: key istio/route-rule-productpage-default, config &{Type:route-rule Name:productpage-default Spec:map[route:[map[tags:map[version:v1]]] destination:productpage.istio.svc.cluster.local precedence:1] ParsedSpec:destination:"productpage.istio.svc.cluster.local" precedence:1 route:<tags:<key:"version" value:"v1" > > } 2017-05-15T18:23:14.642366289Z W0515 18:23:14.642132 1 handler.go:205] namespace "istio" not present
|
I've signed the CLA. |
|
We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for the commit author(s). If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google. |
|
jenkins rebuild istio/presubmit |
|
Updated the PR to include the "update" verb for the istio-ca ClusterRole for "secrets" based on failures that I was seeing in the istio-ca pod. I also refined the "istio-manager" role to only have "get" and "list" access on "namespaces" |
* Updated v1alpha to use fine grain RBAC rules * updated alpha rbac to add update support to istio-ca * Improve rbac for istio-ca and istio-manager Former-commit-id: 736157a
* Updated v1alpha to use fine grain RBAC rules * updated alpha rbac to add update support to istio-ca * Improve rbac for istio-ca and istio-manager Former-commit-id: 736157a
Signed-off-by: clyang82 <clyang@cn.ibm.com>
* use values proto * Fix more fields * Fix some more fields, adds todo * Add more fields * Add more fields * Address comments * Try to fix enum issue * Use golang protobuf * Address lint issue * Update golden files * Address review comment * rebase * Address new comments * Rebase
* MAISTRA-1475: Don't use pre-compiled WASM extensions We are not going to use them for 2.1, because they are built on x86 architecture, hence they will not work on other arches. So, let's use normal, arch-independent wasm files. * make gen
* MAISTRA-1475: Don't use pre-compiled WASM extensions We are not going to use them for 2.1, because they are built on x86 architecture, hence they will not work on other arches. So, let's use normal, arch-independent wasm files. * make gen
* MAISTRA-1475: Don't use pre-compiled WASM extensions We are not going to use them for 2.1, because they are built on x86 architecture, hence they will not work on other arches. So, let's use normal, arch-independent wasm files. * make gen
* MAISTRA-1475: Don't use pre-compiled WASM extensions We are not going to use them for 2.1, because they are built on x86 architecture, hence they will not work on other arches. So, let's use normal, arch-independent wasm files. * make gen
…ter-merge_upstream_istio_master-6253864e Automator: merge upstream changes to openshift-service-mesh/istio@master
This is the fix for issue #217 .
Note, I had to add the "namespaces" resource type to the istio-manager ClusterRole. I'm guessing that the istio-rbac-beta.yaml has the same issue.
This change is