An issue with creating an ClusterRbacConfig object

#1

I created a k8s cluster, and then installed istio 1.0.3 with this command:

gcloud beta container clusters update cluster1
–update-addons=Istio=ENABLED --istio-config=auth=MTLS_PERMISSIVE

My questions:

  1. Do I have to use auth=MTLS_STRICT for authorization?
  2. With both auth=MTLS_STRICT and auth=MTLS_PERMISSIVE, I got this error when I created an ClusterRbacConfig object.

Error from server: error when creating “clusterRabcconfig.yaml”: admission webhook “pilot.validation.istio.io” denied the request: unrecognized type ClusterRbacConfig

Any idea on what’s going on? Thanks

0 Likes

#2

I believe ClusterRbacConfig was introduced in Istio 1.1, but you are running 1.0.3

0 Likes

#3

Thanks for your reply.

I see ClusterRbacConfig with 1.0.3 though.

kubectl get crd clusterrbacconfigs.rbac.istio.io
NAME CREATED AT
clusterrbacconfigs.rbac.istio.io 2019-04-01T21:46:30Z

Is there a way to install istio addon with version 1.1, since I updated my GKE cluster with –update-addons=Istio=ENABLED, which got me 1.0.3?

0 Likes

#4

ClusterRbacConfig was introduced in Istio 1.1. @ostromart Could you help take a look at the installation steps here?

To answer the questions above,

  1. No. Authorization can be enabled independent of authentication mode.
  2. Probably some version problem here. But it is not related to auth mode.
0 Likes

#5

@akyyy are you saying ClusterRbacConfig is automatically created as part of the cluster creation? That would be unexpected because it’s not in the install manifest.
We expect to have 1.1 out in a few weeks. Right now it’s being tested for production readiness and it will take a while to fully roll out.

0 Likes

#6

Thank you for your reply! I’ll try Istio 1.1

0 Likes