Closed mjnagel closed 3 years ago
When monitorIstio: true is enabled the defenders fail to deploy.
monitorIstio: true
All documented options for the defenders should be supported and work out of the box.
When you deploy with monitorIstio: true the defenders fail to create, with the operator spitting out RBAC errors for:
{APIGroups:[""], Resources:["endpoints"], Verbs:["list"]} {APIGroups:[""], Resources:["pods"], Verbs:["list"]} {APIGroups:[""], Resources:["pods/proxy"], Verbs:["get"]} {APIGroups:["networking.istio.io"], Resources:["destinationrules"], Verbs:["list"]} {APIGroups:["networking.istio.io"], Resources:["gateways"], Verbs:["list"]} {APIGroups:["networking.istio.io"], Resources:["virtualservices"], Verbs:["list"]} {APIGroups:["security.istio.io"], Resources:["authorizationpolicies"], Verbs:["list"]} {APIGroups:["security.istio.io"], Resources:["peerauthentications"], Verbs:["list"]}
Add the above to the role/clusterrole for the operator.
ConsoleDefender
monitorIstio
Unsure if any of the other options would cause similar RBAC problems, but might be worth investigating.
Describe the bug
When
monitorIstio: trueis enabled the defenders fail to deploy.Expected behavior
All documented options for the defenders should be supported and work out of the box.
Current behavior
When you deploy with
monitorIstio: truethe defenders fail to create, with the operator spitting out RBAC errors for:Possible solution
Add the above to the role/clusterrole for the operator.
Steps to reproduce
ConsoleDefenderwithmonitorIstioset to trueAdditional Info
Unsure if any of the other options would cause similar RBAC problems, but might be worth investigating.