douglas-reid
commented
6 years ago I don't believe that CRDs are namespaced.
CustomResourceDefinitions themselves are non-namespaced and are available to all namespaces.
Based on that understanding, I believe perms are needed to allow cluster scope access for CRDs.
Dear Istio Team,
Does always istio needs to be configured at cluster level in Kubernetes?
Can we do at the namespace level too within a cluster?
To configure Istio at namespace level, we modified all the "ClusterRole" to "Role", "ClusterRoleBinding" to "RoleBinding" in istio-digitalarch.yaml file.
Is this a BUG or FEATURE REQUEST?: BUG
Bug: Y
Did you review https://istio.io/help/ and existing issues to identify if this is already solved or being worked on?: Y
What happened:
We are getting the below issue.
Istio Pilot log snippet:
failed to create discovery service: failed to register custom resources. customresourcedefinitions.apiextensions.k8s.io is forbidden: User "system:serviceaccount:digital-system:istio-pilot-service-account" cannot create customresourcedefinitions.apiextensions.k8s.io at the cluster scope
What you expected to happen:
Ability to configure istio at the namespace level
How to reproduce it:
Try to configure Istio at the namespace level by using istio-digitalarch.yaml
What Version of Istio and Kubernetes are you using, where did you get Istio from, Installation details
Kubectl version: Client Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.3", GitCommit:"d2835416544f298c919e2ead3be3d0864b52323b", GitTreeState:"clean", BuildDate:"2018-02-07T12:22:21Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"linux/amd64"}
istioctl version: 0.5.0