search

istio / old_issues_repo

Deprecated issue-tracking repo, please post new issues or feature requests to istio/istio instead.
37 stars 9 forks source link

installing istio on GKE fails on authorization #289

Open RickVM opened 6 years ago

RickVM commented 6 years ago

Bug: What Version of Istio and Kubernetes are you using, where did you get Istio from, Installation details

istioctl version 0.7.1
kubectl Client version: 1.8.6 
Kubectl Server version: 1.9.6-gke.1

Is Istio Auth enabled or not ? I am trying to install istio Auth

What happened: running: kubectl apply -f install/kubernetes/istio-auth.yaml installs and configures some files and then returns the following multiple times:

Error from server (Forbidden): error when creating "install/kubernetes/istio-auth.yaml": clusterroles.rbac.authorization.k8s.io "istio-pilot-istio-system" is fo
rbidden: attempt to grant extra privileges: [PolicyRule{Resources:["*"], APIGroups:["config.istio.io"], Verbs:["*"]} PolicyRule{Resources:["*"], APIGroups:["net
working.istio.io"], Verbs:["*"]} PolicyRule{Resources:["*"], APIGroups:["authentication.istio.io"], Verbs:["*"]} PolicyRule{Resources:["customresourcedefinition
s"], APIGroups:["apiextensions.k8s.io"], Verbs:["*"]} PolicyRule{Resources:["thirdpartyresources"], APIGroups:["extensions"], Verbs:["*"]} PolicyRule{Resources:
["thirdpartyresources.extensions"], APIGroups:["extensions"], Verbs:["*"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["*"]} PolicyRule
{Resources:["ingresses/status"], APIGroups:["extensions"], Verbs:["*"]} PolicyRule{Resources:["configmaps"], APIGroups:[""], Verbs:["create"]} PolicyRule{Resour
ces:["configmaps"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["configmaps"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["configmaps"], API
Groups:[""], Verbs:["watch"]} PolicyRule{Resources:["configmaps"], APIGroups:[""], Verbs:["update"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:[
"get"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Reso
urces:["pods"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["pods"], APIGroups:[""], Ver
bs:["watch"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["list"]} PolicyRule{Re
sources:["services"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["namespaces"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["namespaces"], 
APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["namespaces"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["nodes"], APIGroups:[""], Verbs:["ge
t"]} PolicyRule{Resources:["nodes"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["nodes"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["sec
rets"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs
:["watch"]} PolicyRule{Resources:["validatingwebhookconfigurations"], APIGroups:["admissionregistration.k8s.io"], Verbs:["create"]} PolicyRule{Resources:["valid
atingwebhookconfigurations"], APIGroups:["admissionregistration.k8s.io"], Verbs:["update"]} PolicyRule{Resources:["validatingwebhookconfigurations"], APIGroups:
["admissionregistration.k8s.io"], Verbs:["delete"]}] user=&{VanmelisRick@gmail.com  [system:authenticated] map[authenticator:[GKE]]} ownerrules=[PolicyRule{Reso
urces:["selfsubjectaccessreviews" "selfsubjectrulesreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" 
"/apis" "/apis/*" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*" "/version"], Verbs:["get"]}] ruleResolutionErrors=[]
Error from server (Forbidden): error when creating "install/kubernetes/istio-auth.yaml": clusterroles.rbac.authorization.k8s.io "istio-sidecar-injector-istio-sy
stem" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["configmaps"], APIGroups:["*"], Verbs:["get"]} PolicyRule{Resources:["configmaps"]
, APIGroups:["*"], Verbs:["list"]} PolicyRule{Resources:["configmaps"], APIGroups:["*"], Verbs:["watch"]}] user=&{VanmelisRick@gmail.com  [system:authenticated]
 map[authenticator:[GKE]]} ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews" "selfsubjectrulesreviews"], APIGroups:["authorization.k8s.io"], Verbs:["
create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*" "/versio
n"], Verbs:["get"]}] ruleResolutionErrors=[]

What you expected to happen: The command to complete and return:

namespace "istio-system" configured
clusterrole "istio-pilot-istio-system" created
/* ... */
serviceaccount "istio-ca-service-account" created
deployment "istio-ca" created

How to reproduce it: Follow: deploy cluster on Google cloud europe-west-4b and then follow steps from: https://codelabs.developers.google.com/codelabs/cloud-hello-istio/index.html?index=..%2F..%2Findex#3 trying either version 0.7.1 or 0.5.1 Additional info I followed the steps and created a clusterrolebinding with the following command:

    --clusterrole=cluster-admin \
    --user=$(gcloud config get-value core/account)

Which returned successfull.

After the installation command failed I tried to make a binding again, because perhaps something failed.
This results in: Error from server (AlreadyExists): clusterrolebindings.rbac.authorization.k8s.io "cluster-admin-binding" already exists

running kubectl get clusterrolebindings cluster-admin-binding -o yaml returns:

kind: ClusterRoleBinding
metadata:
  creationTimestamp: 2018-04-16T14:07:46Z
  name: cluster-admin-binding
  resourceVersion: "1959"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin-binding
  uid: 8a25116d-417f-11e8-9352-42010aa4002a
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: myaccountname@gmail.com

I deployed the bookinfo sample once through deployment manager and now i'm trying to do so on a new cluster through the console whilst manually installing with the provided guide. I also tried istio version 0.5.1 resulting in the same. I'm not sure whats wrong.. using the google GUI in IAM I see my account with the role kubernetes-engine admin.

jonomacd commented 6 years ago

I think I have run into this as well. I did the exact same steps as @RickVM and it fails in the same way.

kkallday commented 6 years ago

I am also running into this issue with the same steps above.

kkallday commented 6 years ago

Creating a clusterrolebinding with this command unblocked me:

kubectl create clusterrolebinding cluster-admin-binding \
 --clusterrole=cluster-admin \
 --user=$(gcloud config get-value core/account)

(from https://meteatamel.wordpress.com/2018/06/07/istio-101-0-8-0-on-gke/)