arshchimni
commented
6 years ago I found the solution. if someone else is stuck , you have to make a service role and role binding
cat <<EOF | kubectl apply -f -
apiVersion: "config.istio.io/v1alpha2"
kind: ServiceRole
metadata:
name: google-egress-service-role
spec:
rules:
- services: ["google-egress-rule.default.cluster.local"]
methods: ["*"]
EOF
cat <<EOF | kubectl apply -f -
apiVersion: "config.istio.io/v1alpha2"
kind: ServiceRoleBinding
metadata:
name: binding-google-egress-allusers
spec:
subjects:
- user: "*"
roleRef:
kind: ServiceRole
name: "google-egress-service-role"
EOF
Is this a BUG or FEATURE REQUEST?: BUG
Did you review https://istio.io/help/ and existing issues to identify if this is already solved or being worked on?: Yes
Bug: Y
What Version of Istio and Kubernetes are you using, where did you get Istio from, Installation details
Is Istio Auth enabled or not ? Did you install the stable istio.yaml, istio-auth.yaml.... or if using the Helm chart please provide full command line input.
YES, applied both istio.yaml and istio-auth.yaml
What happened: The clusters are provisioned on GKE and I have istio-rbac and mTLS enabled.
When I apply the egress rule according to the documentation to connect to google.com over HTTPS, I consistently get 403 from the Envoy proxy which states PERMISSION_DENIED:rbac-handler.rbac.istio-system:RBAC
Following is the response I receive from curl -:
Following is the egress rule applied -:
Tried ExternalService in v1aplha3, that also did not work. (https://istio.io/docs/tasks/traffic-management-v1alpha3/egress-tcp.html)
What you expected to happen:
I should be able to communicate with google.com over HTTPS
How to reproduce it: Enable istio RBAC and apply the egress rule.
Feature Request: N