0

I'm starting out with Kubernetes (v1.32.1) and trying to use istio as gateway api using one control plane and two nodes (all Ubuntu 24.10, linux/amd64).

Installed istio/base and istio/istiod using helm.

helm install istio-base-release -n istio-system --create-namespace istio/base --set global.istioNamespace=istio-system
helm install istiod-release -n istio-system istio/istiod --set telemetry.enabled=true --set global.istioNamespace=istio-system --set meshConfig.ingressService=istio-gateway --set meshConfig.ingressSelector=gateway

It creates istiod (version 1.24.3) pod with status Running but it won't become ready.

NAME                     READY   STATUS
istiod-d4f49484c-n757s   0/1     Running

Using kubectl logs for the pod I get this error:

error in cluster Kubernetes: failed to list *v1.ConfigMap: Get "https://10.96.0.1:443/api/v1/namespaces/istio-system/configmaps?fieldSelector=metadata.name%3Distio&limit=500&resourceVersion=0": dial tcp 10.96.0.1:443: connect: operation not permitted

It looks like it is a problem with RBAC but ServiceAccount, Role and RoleBinding exist for istiod.

Tried changing default Role configuration verb list to - '*' for configmaps resources but I get the same error.

void
  • 1

1 Answers1

0

@void : need more log from your cluster environtment, from the log you given it's like istio get restricted access to kube API,

can you give this command value?

kubectl get networkpolicies -n istio-system

Check which one service account that istiod used:

kubectl get pod istiod-d4f49484c-n757s -n istio-system -o jsonpath='{.spec.serviceAccount}'

Then what is the return for this command?

kubectl get clusterrolebinding -o wide | grep istio

Iyus Dedi Putra
  • 156
  • 4