Open surajssd opened 3 months ago
If there isn't enough demand for istioctl, then we will remove istio from the CloudShell in another two weeks.
Following along with few more vuln are detected by trivy scanner over multiple scans on base image related to istio
1. ClusterRole 'istiod-clusterrole-' shouldn't have access to manage resource 'secrets'
2. ClusterRole 'istiod-clusterrole-' shouldn't manage all resource
3. ClusterRole 'istiod-clusterrole-' should not have access to resources ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"]
4. ClusterRole 'istio-reader-clusterrole-' shouldn't have access to manage resource 'secrets'
5. ClusterRole 'istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}' shouldn't have access to manage resource 'secrets'
6. ClusterRole 'istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}' should not have access to resources ["roles", "rolebindings"] for verbs ["create", "update", "delete", "deletecollection", "impersonate", "*"]
@kartikjoshi21 We are using istioctl command for istio debugging. Kindly do not remove it. :)
@shahriaak is it just istioctl or there is more that you use in there? We would like to learn more about your use case.
We are currently using istioctl from time to time in cloudshell to debug istio related issues that come up in AKS clusters that are using the mesh addon. We would like to keep it there for ease of debugging, however if there is a route to easily install it in a fresh cloudshell session then it's not necessarily mandatory to keep around.
My team is Microsoft 1P, so feel free to reach out to learn more about our use case @surajssd.
I see that Istio is installed using the official release from Github. Is the whole release needed or is it just the
istioctl
binary that's needed?