Uploaded image for project: 'Maistra'
  1. Maistra
  2. MAISTRA-455

Galley has no permissions to create validatingwebhookconfigurations

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • maistra-0.11.0
    • maistra-0.11.0
    • galley, operator
    • None
    • Maistra TP sprint 11

      Galley's log shows the following error:

      istio-galley-istio-system validatingwebhookconfiguration update failed: validatingwebhookconfigurations.admissionregistration.k8s.io is forbidden: User "system:serviceaccount:istio-system:istio-galley-service-account" cannot create validatingwebhookconfigurations.admissionregistration.k8s.io at the cluster scope: no RBAC policy matched

      The istio-galley-mesh-istio-system ClusterRole contains the following rule:

      - apiGroups: ["admissionregistration.k8s.io"]
  resources: ["validatingwebhookconfigurations"]
  resourceNames: ["istio-galley-istio-system"]
  verbs: ["*"]

      This rule effectively does not allow creation, because it specifies `resourceNames`.

            mluksa@redhat.com Marko Luksa
            mluksa@redhat.com Marko Luksa
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: