Istioctl is failing due to insufficient privileges

brandshaide · April 23, 2020, 7:00am

We’re running istio on a self-managed k8s cluster and a user of a team wanted to try istioctl like that:

istioctl --context dev -i core-istio -n dev-aimistio authn tls-check service0-5866cd8599-5dh4p

but is facing:

Error: error execing into istio-pilot-6f4484bb6-2rsqs/core-istio discovery container: pods "istio-pilot-6f4484bb6-2rsqs" is forbidden: User "oidc:079e7f66-9ed2-435c-a048-147bf7ef1f68" cannot create resource "pods/exec" in API group "" in the namespace "core-istio"

why is it required to have pods/exec for using istioctl?
extending the ClusterRole like that would be a solution:

- apiGroups: [""]
  resources: ["pods/exec"]
  verbs: ["create"]

thx in advance

Topic		Replies	Views
Kubernetes RBAC required for istioctl commands User Experience	2	1016	September 3, 2020
Istio with Pod Security Policy (in GKE)	3	1951	April 5, 2019
Kubernetes cluster roles necessary to install Istio	0	315	April 17, 2020
Issue with Istio sidecar injection and psp	2	1863	April 15, 2019
Istio injection failed	1	545	October 5, 2020

Istioctl is failing due to insufficient privileges

Related Topics