Is Istio Auth enabled or not ?
Vanilla cluster from GCP jinja template, with all boxes checked.
What happened:
Created a new cluster via the jinja template. Tried to run my own container, from GCR, in the same project.
What you expected to happen:
My container should have started. Following the tutorial comes to a bit of a rude end, if you can't try adding your own stuff to it to see how it plays together. Considering how hard it is to upgrade node pool permissions after the fact, I'd suggest either adding the permission to the template, or clearly saying that the bookinfo example can not be extended with custom, non-public images.
How to reproduce it:
On GCP, create a cluster from the template, then try to start an private image from GCR.
I spent a couple of hours digging around on this one. I believe the problem is the service account created in the template isn't given the necessary scope to pull from GCR. https://www.googleapis.com/auth/devstorage.read_only is required. When creating clusters from the cmd line or the UI, this permission is normally given.
Is this a BUG or FEATURE REQUEST?:
Did you review https://istio.io/help/ and existing issues to identify if this is already solved or being worked on?: Y
Bug: Y
What Version of Istio and Kubernetes are you using, where did you get Istio from, Installation details Created from https://raw.githubusercontent.com/istio/istio/master/install/gcp/deployment_manager/istio-cluster.jinja
Is Istio Auth enabled or not ? Vanilla cluster from GCP jinja template, with all boxes checked.
What happened: Created a new cluster via the jinja template. Tried to run my own container, from GCR, in the same project. What you expected to happen: My container should have started. Following the tutorial comes to a bit of a rude end, if you can't try adding your own stuff to it to see how it plays together. Considering how hard it is to upgrade node pool permissions after the fact, I'd suggest either adding the permission to the template, or clearly saying that the bookinfo example can not be extended with custom, non-public images. How to reproduce it: On GCP, create a cluster from the template, then try to start an private image from GCR.
I spent a couple of hours digging around on this one. I believe the problem is the service account created in the template isn't given the necessary scope to pull from GCR. https://www.googleapis.com/auth/devstorage.read_only is required. When creating clusters from the cmd line or the UI, this permission is normally given.
Feature Request: N
Describe the feature: