search

istio / old_issues_repo

Deprecated issue-tracking repo, please post new issues or feature requests to istio/istio instead.
37 stars 9 forks source link

Deploying with rbac disabled causes pilot to never deploy #386

Closed m1o1 closed 6 years ago

m1o1 commented 6 years ago

Is this a BUG or FEATURE REQUEST?: BUG

Did you review https://istio.io/help/ and existing issues to identify if this is already solved or being worked on?: Y

Bug: Y/N

What Version of Istio and Kubernetes are you using, where did you get Istio from, Installation details

istioctl version
(not using istioctl binary)
kubectl version --client --short
Client Version: v1.9.2

Is Istio Auth enabled or not ? Did you install the stable istio.yaml, istio-auth.yaml.... or if using the Helm chart please provide full command line input. helm install install/kubernetes/helm/istio --name istio --namespace istio-system --set global.rbacEnabled=false

What happened: On both Minikube and on AKS, the pilot pod is in ContainerCreating status perpetually.

Doing kubectl describe ${PILOT_POD}, I see the last two entries are:

Warning  FailedMount            14m (x23 over 45m)  kubelet, aks-agentpool-22784792-1  MountVolume.SetUp failed for volume "istio-certs" : secrets "istio.istio-pilot-service-account" not found
Warning  FailedMount            12s (x20 over 43m)  kubelet, aks-agentpool-22784792-1  Unable to mount volumes for pod "istio-pilot-556cf655c9-wdqsk_istio-system(db521473-6b3d-11e8-bed7-0649e3aaad46)": timeout expired waiting for volumes to attach/mount for pod "istio-system"/"istio-pilot-556cf655c9-wdqsk". list of unattached/unmounted volumes=[istio-certs]

This causes a helm install to time out (waiting forever for the pilot to be ready).

What you expected to happen: I expect all Istio components to be running after running the helm install command above (with RBAC disabled) on AKS and minikube.

It seems it's trying to mount a service account as a secret, which doesn't really make sense to me. It can be seen in the pilot's Deployment yaml file:

volumes:
- name: config-volume
  configMap:
    name: istio
- name: istio-certs
  secret:
    secretName: "istio.istio-pilot-service-account"

The Pilot's service account is wrapped in a check for rbacEnabled, so it will never be created.

{{- if .Values.global.rbacEnabled }}
apiVersion: v1
kind: ServiceAccount
...
metadata:
  name: istio-pilot-service-account
  namespace: {{ .Release.Namespace }}
...
{{- end }}

How to reproduce it: Start minikube with:

minikube start \
     --vm-driver="hyperv" \
     --hyperv-virtual-switch="Ethernet Virtual Switch" \
     --memory 4096 \
     --extra-config=controller-manager.ClusterSigningCertFile="/var/lib/localkube/certs/ca.crt" \
     --extra-config=controller-manager.ClusterSigningKeyFile="/var/lib/localkube/certs/ca.key" \
     --extra-config=apiserver.Admission.PluginNames=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota \
     --kubernetes-version=v1.9.4

Then run the helm install command from the Istio 0.8.0 release folder:

helm install install/kubernetes/helm/istio --name istio --namespace istio-system --set global.rbacEnabled=false
ymesika commented 6 years ago

Thanks. Fixed.