Loading...

Details

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: maistra-2.0.3
Affects Version/s: maistra-2.0.3
Component/s: None
Labels:
None

Blocked:
False
Ready:
False
Release Note Text:
Undefined
Git Pull Request:
https://github.com/maistra/istio/pull/319

Sprint:
Sprint 2, Sprint 3

SFDC Cases Counter:
SFDC Cases Links:

Description

2.0.3 SMCP istio policy mixer crash : Failed to list resources in API group at the cluster scope

When we enable Mixer in a 2.0.3 SMCP, the istio-policy pod crashed and we see error logs in mixer container .

Build Info:
OCP 4.6.24
OSSM SMCP 2.0.3

How to reproduce:
1. Deploy operator and SMCP 2.0.3 on OCP 4.6
2. Enable Mixer check by
$ oc patch -n istio-system smcp/basic --type merge -p '{"spec":{"policy":{"type": "Mixer", "mixer":{"enableChecks":true}}}}'
3. Wait and see istio-policy pod starting, and then check istio-policy pod mixer log

Expected behavior:
Mixer should not list resources at the cluster scope

LoadSheddingOptions: loadshedding.Options{Mode:0, AverageLatencyThreshold:0, SamplesPerSecond:1.7976931348623157e+308, SampleHalfLife:1000000000, LatencyEnforcementThreshold:100, MaxRequestsPerSecond:0, BurstSize:0}
UseAdapterCRDs: false
 
2021-04-14T15:15:31.958955Z     warn    Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
2021-04-14T15:15:31.970362Z     error   k8s.io/client-go@v0.18.3/tools/cache/reflector.go:125: Failed to list *unstructured.Unstructured: instances.config.istio.io is forbidden: User "system:serviceaccount:istio-system:istio-policy-service-account" cannot list resource "instances" in API group "config.istio.io" at the cluster scope
2021-04-14T15:15:31.970366Z     error   k8s.io/client-go@v0.18.3/tools/cache/reflector.go:125: Failed to list *unstructured.Unstructured: rules.config.istio.io is forbidden: User "system:serviceaccount:istio-system:istio-policy-service-account" cannot list resource "rules" in API group "config.istio.io" at the cluster scope
2021-04-14T15:15:31.970548Z     error   k8s.io/client-go@v0.18.3/tools/cache/reflector.go:125: Failed to list *unstructured.Unstructured: templates.config.istio.io is forbidden: User "system:serviceaccount:istio-system:istio-policy-service-account" cannot list resource "templates" in API group "config.istio.io" at the cluster scope
2021-04-14T15:15:31.971126Z     error   k8s.io/client-go@v0.18.3/tools/cache/reflector.go:125: Failed to list *unstructured.Unstructured: attributemanifests.config.istio.io is forbidden: User "system:serviceaccount:istio-system:istio-policy-service-account" cannot list resource "attributemanifests" in API group "config.istio.io" at the cluster scope
2021-04-14T15:15:31.971171Z     error   k8s.io/client-go@v0.18.3/tools/cache/reflector.go:125: Failed to list *unstructured.Unstructured: adapters.config.istio.io is forbidden: User "system:serviceaccount:istio-system:istio-policy-service-account" cannot list resource "adapters" in API group "config.istio.io" at the cluster scope
2021-04-14T15:15:31.971207Z     error   k8s.io/client-go@v0.18.3/tools/cache/reflector.go:125: Failed to list *unstructured.Unstructured: handlers.config.istio.io is forbidden: User "system:serviceaccount:istio-system:istio-policy-service-account" cannot list resource "handlers" in API group "config.istio.io" at the cluster scope
2021-04-14T15:15:32.068269Z     info    smmr    Cache synced for listener "mixer-cache-instance"
2021-04-14T15:15:32.068478Z     info    smmr    Cache synced for listener "mixer-cache-attributemanifest"
2021-04-14T15:15:32.068529Z     info    smmr    Cache synced for listener "mixer-cache-template"
2021-04-14T15:15:32.068548Z     info    smmr    Cache synced for listener "mixer-cache-handler"
2021-04-14T15:15:32.068608Z     info    smmr    Cache synced for listener "mixer-cache-adapter"
2021-04-14T15:15:32.068649Z     info    smmr    Cache synced for listener "mixer-cache-rule"
2021-04-14T15:15:32.945300Z     error   k8s.io/client-go@v0.18.3/tools/cache/reflector.go:125: Failed to list *unstructured.Unstructured: instances.config.istio.io is forbidden: User "system:serviceaccount:istio-system:istio-policy-service-account" cannot list resource "instances" in API group "config.istio.io" at the cluster scope
2021-04-14T15:15:33.295726Z     error   k8s.io/client-go@v0.18.3/tools/cache/reflector.go:125: Failed to list *unstructured.Unstructured: adapters.config.istio.io is forbidden: User "system:serviceaccount:istio-system:istio-policy-service-account" cannot list resource "adapters" in API group "config.istio.io" at the cluster scope
2021-04-14T15:15:33.374233Z     error   k8s.io/client-go@v0.18.3/tools/cache/reflector.go:125: Failed to list *unstructured.Unstructured: handlers.config.istio.io is forbidden: User "system:serviceaccount:istio-system:istio-policy-service-account" cannot list resource "handlers" in API group "config.istio.io" at the cluster scope
2021-04-14T15:15:33.477040Z     error   k8s.io/client-go@v0.18.3/tools/cache/reflector.go:125: Failed to list *unstructured.Unstructured: attributemanifests.config.istio.io is forbidden: User "system:serviceaccount:istio-system:istio-policy-service-account" cannot list resource "attributemanifests" in API group "config.istio.io" at the cluster scope

Attachments

Issue Links

is cloned by

MAISTRA-2281 backport the 2.0 service mesh member roll controller changes to 1.1

Closed

istio policy mixer crash : Failed to list resources in API group at the cluster scope

Details

Description

Attachments

Issue Links

Activity

People

Dates