Istioctl is failing due to insufficient privileges

brandshaide · April 23, 2020, 7:00am

We’re running istio on a self-managed k8s cluster and a user of a team wanted to try istioctl like that:

istioctl --context dev -i core-istio -n dev-aimistio authn tls-check service0-5866cd8599-5dh4p

but is facing:

Error: error execing into istio-pilot-6f4484bb6-2rsqs/core-istio discovery container: pods "istio-pilot-6f4484bb6-2rsqs" is forbidden: User "oidc:079e7f66-9ed2-435c-a048-147bf7ef1f68" cannot create resource "pods/exec" in API group "" in the namespace "core-istio"

why is it required to have pods/exec for using istioctl?
extending the ClusterRole like that would be a solution:

- apiGroups: [""]
  resources: ["pods/exec"]
  verbs: ["create"]

thx in advance

Topic		Replies	Views
Kubernetes RBAC required for istioctl commands User Experience	2	1134	September 3, 2020
Istio with Pod Security Policy (in GKE)	3	2071	April 5, 2019
Istio AuthorizationPolicy to do not allow users to access the pods from the namespaces where they don't have access Security	0	442	July 29, 2021
Issue with Istio sidecar injection and psp	2	1963	April 15, 2019
Pods not created with headless service Networking	3	840	October 14, 2022

Istioctl is failing due to insufficient privileges

Related topics