Uploaded image for project: 'Maistra'
  1. Maistra
  2. MAISTRA-629

oc get istio-io fails for regular user

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Minor Minor
    • maistra-rc1
    • None
    • None
    • None
    • RC1

      oc get istio-io is a shortcut for getting all istio-related objects.

      However it tries to read meshpolicies and clusterrbacconfigs which are cluster-scoped and thus a regular user doesn't have access. The user is presented with an error.

      Example:

      $ oc get istio-io
NAME                                           AGE
gateway.networking.istio.io/tcp-echo-gateway   7m31s

NAME                                                       HOST       AGE
destinationrule.networking.istio.io/tcp-echo-destination   tcp-echo   7m32s

NAME                                          GATEWAYS             HOSTS   AGE
virtualservice.networking.istio.io/tcp-echo   [tcp-echo-gateway]   [*]     7m32s
Error from server (Forbidden): meshpolicies.authentication.istio.io is forbidden: User "user1" cannot list resource "meshpolicies" in API group "authentication.istio.io" at the cluster scope
Error from server (Forbidden): clusterrbacconfigs.rbac.istio.io is forbidden: User "user1" cannot list resource "clusterrbacconfigs" in API group "rbac.istio.io" at the cluster scope

      We could remove these two objects from the output of oc get istio-io, but then an admin user would not get them as well..

              kconner@redhat.com Kevin Conner (Inactive)
              jsantana@redhat.com Jonh Wendell
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: