Uploaded image for project: 'Maistra'
  1. Maistra
  2. MAISTRA-2280

istio policy mixer crash : Failed to list resources in API group at the cluster scope

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • maistra-2.0.3
    • maistra-2.0.3
    • None
    • None
    • Sprint 2, Sprint 3

      2.0.3 SMCP istio policy mixer crash : Failed to list resources in API group at the cluster scope

      When we enable Mixer in a 2.0.3 SMCP, the istio-policy pod crashed and we see error logs in mixer container .

      Build Info:
      OCP 4.6.24
      OSSM SMCP 2.0.3

      How to reproduce:
      1. Deploy operator and SMCP 2.0.3 on OCP 4.6
      2. Enable Mixer check by
      $ oc patch -n istio-system smcp/basic --type merge -p '{"spec":{"policy":{"type": "Mixer", "mixer":{"enableChecks":true}}}}'
      3. Wait and see istio-policy pod starting, and then check istio-policy pod mixer log

      Expected behavior:
      Mixer should not list resources at the cluster scope

      LoadSheddingOptions: loadshedding.Options{Mode:0, AverageLatencyThreshold:0, SamplesPerSecond:1.7976931348623157e+308, SampleHalfLife:1000000000, LatencyEnforcementThreshold:100, MaxRequestsPerSecond:0, BurstSize:0}
UseAdapterCRDs: false
 
2021-04-14T15:15:31.958955Z     warn    Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
2021-04-14T15:15:31.970362Z     error   k8s.io/client-go@v0.18.3/tools/cache/reflector.go:125: Failed to list *unstructured.Unstructured: instances.config.istio.io is forbidden: User "system:serviceaccount:istio-system:istio-policy-service-account" cannot list resource "instances" in API group "config.istio.io" at the cluster scope
2021-04-14T15:15:31.970366Z     error   k8s.io/client-go@v0.18.3/tools/cache/reflector.go:125: Failed to list *unstructured.Unstructured: rules.config.istio.io is forbidden: User "system:serviceaccount:istio-system:istio-policy-service-account" cannot list resource "rules" in API group "config.istio.io" at the cluster scope
2021-04-14T15:15:31.970548Z     error   k8s.io/client-go@v0.18.3/tools/cache/reflector.go:125: Failed to list *unstructured.Unstructured: templates.config.istio.io is forbidden: User "system:serviceaccount:istio-system:istio-policy-service-account" cannot list resource "templates" in API group "config.istio.io" at the cluster scope
2021-04-14T15:15:31.971126Z     error   k8s.io/client-go@v0.18.3/tools/cache/reflector.go:125: Failed to list *unstructured.Unstructured: attributemanifests.config.istio.io is forbidden: User "system:serviceaccount:istio-system:istio-policy-service-account" cannot list resource "attributemanifests" in API group "config.istio.io" at the cluster scope
2021-04-14T15:15:31.971171Z     error   k8s.io/client-go@v0.18.3/tools/cache/reflector.go:125: Failed to list *unstructured.Unstructured: adapters.config.istio.io is forbidden: User "system:serviceaccount:istio-system:istio-policy-service-account" cannot list resource "adapters" in API group "config.istio.io" at the cluster scope
2021-04-14T15:15:31.971207Z     error   k8s.io/client-go@v0.18.3/tools/cache/reflector.go:125: Failed to list *unstructured.Unstructured: handlers.config.istio.io is forbidden: User "system:serviceaccount:istio-system:istio-policy-service-account" cannot list resource "handlers" in API group "config.istio.io" at the cluster scope
2021-04-14T15:15:32.068269Z     info    smmr    Cache synced for listener "mixer-cache-instance"
2021-04-14T15:15:32.068478Z     info    smmr    Cache synced for listener "mixer-cache-attributemanifest"
2021-04-14T15:15:32.068529Z     info    smmr    Cache synced for listener "mixer-cache-template"
2021-04-14T15:15:32.068548Z     info    smmr    Cache synced for listener "mixer-cache-handler"
2021-04-14T15:15:32.068608Z     info    smmr    Cache synced for listener "mixer-cache-adapter"
2021-04-14T15:15:32.068649Z     info    smmr    Cache synced for listener "mixer-cache-rule"
2021-04-14T15:15:32.945300Z     error   k8s.io/client-go@v0.18.3/tools/cache/reflector.go:125: Failed to list *unstructured.Unstructured: instances.config.istio.io is forbidden: User "system:serviceaccount:istio-system:istio-policy-service-account" cannot list resource "instances" in API group "config.istio.io" at the cluster scope
2021-04-14T15:15:33.295726Z     error   k8s.io/client-go@v0.18.3/tools/cache/reflector.go:125: Failed to list *unstructured.Unstructured: adapters.config.istio.io is forbidden: User "system:serviceaccount:istio-system:istio-policy-service-account" cannot list resource "adapters" in API group "config.istio.io" at the cluster scope
2021-04-14T15:15:33.374233Z     error   k8s.io/client-go@v0.18.3/tools/cache/reflector.go:125: Failed to list *unstructured.Unstructured: handlers.config.istio.io is forbidden: User "system:serviceaccount:istio-system:istio-policy-service-account" cannot list resource "handlers" in API group "config.istio.io" at the cluster scope
2021-04-14T15:15:33.477040Z     error   k8s.io/client-go@v0.18.3/tools/cache/reflector.go:125: Failed to list *unstructured.Unstructured: attributemanifests.config.istio.io is forbidden: User "system:serviceaccount:istio-system:istio-policy-service-account" cannot list resource "attributemanifests" in API group "config.istio.io" at the cluster scope

              yuaxu@redhat.com Yuanlin Xu
              yuaxu@redhat.com Yuanlin Xu
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: