In the gateways Helm chart, there is a
ClusterRoleBinding for the gateway service-account. In looking at the
proxy-agent code under
pilot, I couldn’t see where it makes any calls to the Kubernetes API server. For grins, I ran
helm template using the sample values file for deploying a custom gateway and then removed all the
ClusterRoleBinding resources. The deployment worked just fine and the gateway came up without any errors. It connected to the mesh and external traffic is flowing nicely.
So why do we need
ClusterRoleBinding resources for the gateways child chart?
Here’s my scenario. I want to deploy an ingress-gateway in each namespace for a specific app with it’s own
LoadBalancer definition that’s separate from the main ingress-gateway in
istio-system. I’ll label my custom ingress-gateway with my own label and use that label in my
Gateway selector definitions specific for that app. With this config, I can control traffic into my app through its own gateway.
The problem I ran into is that the tiller I created in that namespace is granted
admin access scoped to just that namespace, plus I create a special
Role so it can also deploy Istio resources (e.g.,
DestinationRule) in the namespace. So that means tiller can’t deploy cluster-wide resources. I do this to restrict the blast radius so devs working in one namespace can’t mess with tiller in another dev’s namespace or mess with the cluster.