Why do gateways require ClusterRoles?

In the gateways Helm chart, there is a ClusterRole and ClusterRoleBinding for the gateway service-account. In looking at the proxy-agent code under pilot, I couldn’t see where it makes any calls to the Kubernetes API server. For grins, I ran helm template using the sample values file for deploying a custom gateway and then removed all the ClusterRole and ClusterRoleBinding resources. The deployment worked just fine and the gateway came up without any errors. It connected to the mesh and external traffic is flowing nicely.

So why do we need ClusterRole and ClusterRoleBinding resources for the gateways child chart?

Here’s my scenario. I want to deploy an ingress-gateway in each namespace for a specific app with it’s own Service NodePort/LoadBalancer definition that’s separate from the main ingress-gateway in istio-system. I’ll label my custom ingress-gateway with my own label and use that label in my Gateway selector definitions specific for that app. With this config, I can control traffic into my app through its own gateway.

The problem I ran into is that the tiller I created in that namespace is granted admin access scoped to just that namespace, plus I create a special Role so it can also deploy Istio resources (e.g., VirtualService, Gateway, DestinationRule) in the namespace. So that means tiller can’t deploy cluster-wide resources. I do this to restrict the blast radius so devs working in one namespace can’t mess with tiller in another dev’s namespace or mess with the cluster.

@liminwang @YangminZhu Could you please take a look?

I think the gateway shouldn’t need it, I have a PR to delete these: https://github.com/istio/istio/pull/13292

1 Like