The istiod-service-account
is not allowed (and won’t be allowed) to modify a specific namespace (abc-system
).
Because of that the pod istiod-...
(under istio-systems
) prints this log entry twice a second:
2021-01-29T13:18:10.686659Z info Work item handle failed (error when creating configmap istio-ca-root-cert: configmaps is forbidden:
User "system:serviceaccount:istio-system:istiod-service-account" cannot create resource "configmaps" in API group "" in the namespace "abc-system":
["You're not allowed to create/update/delete/exec on namespaced resources in kube-system and abc-system"]), retry after delay 1s
How can Istio be configured to avoid this issue?