We’re running istio on a self-managed k8s cluster and a user of a team wanted to try
istioctl like that:
istioctl --context dev -i core-istio -n dev-aimistio authn tls-check service0-5866cd8599-5dh4p
but is facing:
Error: error execing into istio-pilot-6f4484bb6-2rsqs/core-istio discovery container: pods "istio-pilot-6f4484bb6-2rsqs" is forbidden: User "oidc:079e7f66-9ed2-435c-a048-147bf7ef1f68" cannot create resource "pods/exec" in API group "" in the namespace "core-istio"
- why is it required to have
pods/execfor using istioctl?
- extending the
ClusterRolelike that would be a solution:
- apiGroups: [""] resources: ["pods/exec"] verbs: ["create"]
thx in advance