search

Azure / CloudShell

Container Image for Azure Cloud Shell (https://azure.microsoft.com/en-us/features/cloud-shell/)
https://shell.azure.com
MIT License
256 stars 105 forks source link

[Image Update] Istioctl or the whole istio release package? #462

Open surajssd opened 2 months ago

surajssd commented 2 months ago

I see that Istio is installed using the official release from Github. Is the whole release needed or is it just the istioctl binary that's needed?

surajssd commented 2 months ago

If there isn't enough demand for istioctl, then we will remove istio from the CloudShell in another two weeks.

kartikjoshi21 commented 2 months ago

Following along with few more vuln are detected by trivy scanner over multiple scans on base image related to istio 

1. ClusterRole 'istiod-clusterrole-' shouldn't have access to manage resource 'secrets'  
2. ClusterRole 'istiod-clusterrole-' shouldn't manage all resource
3. ClusterRole 'istiod-clusterrole-' should not have access to resources ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"]  
4. ClusterRole 'istio-reader-clusterrole-' shouldn't have access to manage resource 'secrets'  
5. ClusterRole 'istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}' shouldn't have access to manage resource 'secrets'  
6. ClusterRole 'istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}' should not have access to resources ["roles", "rolebindings"] for verbs ["create", "update", "delete", "deletecollection", "impersonate", "*"]
shahriaak commented 1 month ago

@kartikjoshi21 We are using istioctl command for istio debugging. Kindly do not remove it. :)

surajssd commented 1 month ago

@shahriaak is it just istioctl or there is more that you use in there? We would like to learn more about your use case.

GabrielAlacchi commented 1 week ago

We are currently using istioctl from time to time in cloudshell to debug istio related issues that come up in AKS clusters that are using the mesh addon. We would like to keep it there for ease of debugging, however if there is a route to easily install it in a fresh cloudshell session then it's not necessarily mandatory to keep around.

My team is Microsoft 1P, so feel free to reach out to learn more about our use case @surajssd.