I'm building out an istio enabled RBAC AKS cluster. I have the cluster-admin role assigned to me, and I'm able to successfully deploy a minimal istio service (Service/Deployment/Gateway/VirtualService) with no problems.
I need to give a team within my org access to AKS, so I created a namespace and assigned them admin role on the namespace. Everything that is k8s native (kubectl get services --namespace team) works great. However, when they went to deploy the same minimal istio service (Service/Deployment/Gateway/VirtualService) they got a host of errors similar to:
Error from server (Forbidden): error when retrieving current configuration of:
Resource: "networking.istio.io/v1alpha3, Resource=gateways", GroupVersionKind: "networking.istio.io/v1alpha3, Kind=Gateway"This makes sense, as I didn't bind the group to any istio roles. Once I granted them cluster-admin, it worked as expected.
The problem is, I don't know which istio roles to add. When I look at the roles that exist in the cluster after istio installation, I don't see any obvious role(s).
Roles I see:
What is the appropriate role(s) for users that that need to operate on an istio deployment (within a namespace)? Is it a combination of roles? Do I need a new role?
Role with something like this should work:
"apiGroups": [
"istio.io"
],
"resources": [
"*"
],
"verbs": [
"*"
]
if that doesnt work you'd need to do something like this:
"apiGroups": [
"config.istio.io",
"networking.istio.io",
"rbac.istio.io",
"authentication.istio.io"
],
"resources": [
"*"
],
"verbs": [
"*"
]
You could create a Role or Clusterrole and bindings or role bindings for your users.