Setting up release pipeline of kubernetes+istio with terraform+helm gives forbidden error

1
votes

I have tried now so many times setting up this pipeline in Azure devops where I want to deploy a AKS cluster and place istio on top.

Deploying the AKS using Terraform works great.

After this I try to install istio using helm but the command I use gives forbidden error.

helm.exe install --namespace istio-system --name istio-init --wait C:\Istio\install\kubernetes\helm\istio

I used the local path since this was the only good way I could find for helm to find the istio chart i have on the build agent.

The error message

Error: release istio-init failed: clusterroles.rbac.authorization.k8s.io "istio-galley-istio-system" is forbidden: attempt to grant extra privileges: [{[*] [admissionregistration.k8s.io] [validatingwebhookconfigurations] [] []} {[get] [config.istio.io] [*] [] []} {[list] [config.istio.io] [*] [] []} {[watch] [config.istio.io] [*] [] []} {[get] [*] [deployments] [istio-galley] []} {[get] [*] [endpoints] [istio-galley] []}] user=&{system:serviceaccount:kube-system:tillerserviceaccount 56632fa4-55e7-11e9-a4a1-9af49f3bf03a [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] map[]} ownerrules=[] ruleResolutionErrors=[[clusterroles.rbac.authorization.k8s.io "cluster-admin" not found, clusterroles.rbac.authorization.k8s.io "system:discovery" not found, clusterroles.rbac.authorization.k8s.io "cluster-admin" not found, clusterroles.rbac.authorization.k8s.io "system:discovery" not found, clusterroles.rbac.authorization.k8s.io "system:discovery" not found, clusterroles.rbac.authorization.k8s.io "cluster-admin" not found]]

The serviceaccount I use (system:serviceaccount:kube-system:tillerserviceaccount as you can see in error message) are configured using this rbac config:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: tillerserviceaccount
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: tillerbinding
roleRef:
  apiGroup: ""
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: tillerserviceaccount
    namespace: kube-system

Still the error message says in the ruleResolutionErrors that it looks for cluster-admin but it is not found.

I even tried the extreme and set all service accounts as cluster admins to test:

kubectl create clusterrolebinding serviceaccounts-admins --clusterrole=cluster-admin --group=system:serviceaccounts

But even after that I get the same error with the same ruleResolutionErrors.

I am stuck and appriciate any help in what I can do differently.

1
kuberneteskubernetes-helmistioazure-aks
pretty sure you need to run istio init first, not just run istio and call it istio init4c74356b41
I am pretty new to this.. When I downloaded the install pack for istio I got istio charts and istio-remote charts. no init. or you mean any other type of init. I am running like helm init to set up service account and such.JohanSellberg
Reading up on github dokumentation the istio charts says: "The istio-init chart must be run to completion prior to install the istio chart." So ill download the init chart from there and run it first.JohanSellberg
yeah, its in the same folder as istio, but called istio-init: C:\Istio\install\kubernetes\helm\istio-init - should be here. you should be using 1.1+4c74356b41
Tried the istio-init now but got the forbidder error still. "clusterroles.rbac.authorization.k8s.io "istio-init-istio-system" is forbidden..." I can update the question with full error if needed.JohanSellberg

1 Answers

2
votes

this is the role binding we are using in dev clusters:

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: tillerbinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: tillerserviceaccount
    namespace: kube-system

edit: in this case the error was due to AKS created without RBAC.