kiali: Kiali-operator installed view-only kiali has permissions issue on namespaces causing the graph to break
Describe the bug
Kiali goes back and forth between showing the graph and breaking over a permissions issue:
A clear and concise description of what the bug is.
namespaces is forbidden: User "system:serviceaccount:istio-system:kiali-service-account" cannot list resource "namespaces" in API group "" at the cluster scope
Versions used Kiali: 1.25.0 Istio: 1.7.3 Kubernetes flavour and version: AKS 1.18.8
To Reproduce
- install Kiali-operator using the helm chart
values:
clusterRoleCreator: true
cr:
namespace: istio-system
name: kiali
create: true
spec:
istio_namespace: istio-system
auth:
strategy: "anonymous"
deployment:
view_only_mode: "true"
accessible_namespaces:
- '**'
image_name: "quay.io/kiali/kiali"
image_pull_policy: "IfNotPresent"
image_version: "v1.25.0"
ingress_enabled: false
namespace: "istio-system"
- go to Kiali UI and click on graph, wait a little while. Graph will switch between showing and breaking, posting messages to message center.
Expected behavior
In docs it says that a view-only kiali should get a kiali-viewer clusterrole but that isn’t created in my cluster. Whenever I do a kubectl auth can-i list namespaces --as system:serviceaccount:istio-system:kiali-service-account --all-namespaces it returns yes so I expect it to work. However, the graph breaks and I get those error messages in message center.
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 28
A few PRs have been merged that should address the issue reported here. The fixes will be in the next release.
Until that release is available, the workaround should be:
view_only_mode: true…do NOT useview_only_mode: "true").deployment.accessible_namespaces: ['**']