I'm building out an istio enabled RBAC AKS cluster. I have the cluster-admin role assigned to me, and I'm able to successfully deploy a minimal istio service (Service/Deployment/Gateway/VirtualService) with no problems.
I need to give a team within my org access to AKS, so I created a namespace and assigned them admin role on the namespace. Everything that is k8s native (kubectl get services --namespace team) works great. However, when they went to deploy the same minimal istio service (Service/Deployment/Gateway/VirtualService) they got a host of errors similar to:
Error from server (Forbidden): error when retrieving current configuration of:
Resource: "networking.istio.io/v1alpha3, Resource=gateways", GroupVersionKind: "networking.istio.io/v1alpha3, Kind=Gateway"
This makes sense, as I didn't bind the group to any istio roles. Once I granted them cluster-admin, it worked as expected.
The problem is, I don't know which istio roles to add. When I look at the roles that exist in the cluster after istio installation, I don't see any obvious role(s).
Roles I see:
- istio-citadel-istio-system
- istio-vnetingressgateway-istio-system
- istio-sidecar-injector-istio-system
- istio-security-post-install-istio-system
- istio-pilot-istio-system
- istio-ingressgateway-istio-system
- istio-grafana-post-install-istio-system
- istio-mixer-istio-system
- istio-galley-istio-system
- istio-egressgateway-istio-system
What is the appropriate role(s) for users that that need to operate on an istio deployment (within a namespace)? Is it a combination of roles? Do I need a new role?
istos-*, they are the Istio roles, not the AKS cluster. - Charles Xu