Open jacekszlachtass opened 2 years ago
As of now, the code assumes that the service Account is always mounted at "/var/run/secrets/kubernetes.io". This should not be a hard requirement though. We incorrectly use the "ca.crt" in the above directory to TLS authenticate the Istiod control plane. Looking into fixing this..
Hi @shankgan any updates on this? We hit the same issue on Anthos Service Mesh 1.13.7.
Anyone else running into this you might need to set:
kubectl annotate --overwrite namespace default \
mesh.cloud.google.com/proxy='{"managed":"true"}'
According to this issue https://github.com/istio/istio/issues/22193 pods wth "automountServiceAccountToken: false" should work if JWT policy is third-party-jwt and the cluster supports third party tokens:
Changing to "automountServiceAccountToken: true" fixes the issue.
Any idea why it is not working with "automountServiceAccountToken: false"?