RBAC: access denied with istio 1.7 #5

y0zg · 2020-09-30T22:57:13Z

It seems this approach doesn't work with istio 1.7, probably you know some workarounds

istioctl version
client version: 1.7.2
control plane version: 1.7.2
data plane version: 1.7.2 (18 proxies)

2020-09-30T22:50:57.346838Z	debug	envoy connection	[C902] closing data_to_write=143 type=2
2020-09-30T22:50:57.346856Z	debug	envoy connection	[C902] setting delayed close timer with timeout 1000 ms
2020-09-30T22:50:57.346866Z	debug	envoy pool	[C3] response complete
2020-09-30T22:50:57.346871Z	debug	envoy pool	[C3] destroying stream: 0 remaining
2020-09-30T22:50:57.346954Z	debug	envoy connection	[C902] write flush complete
2020-09-30T22:50:57.347105Z	debug	envoy connection	[C902] remote early close
2020-09-30T22:50:57.347119Z	debug	envoy connection	[C902] closing socket: 0
2020-09-30T22:50:57.347188Z	debug	envoy conn_handler	[C902] adding to cleanup list
2020-09-30T22:50:57.744347Z	debug	envoy main	flushing stats
2020-09-30T22:50:58.289883Z	debug	envoy http	[C747] new stream
2020-09-30T22:50:58.290086Z	debug	envoy http	[C747][S6519292591854974172] request headers complete (end_stream=true):
':authority', 'appwebform.example.com'
':path', '/'
':method', 'GET'
'cache-control', 'max-age=0'
'upgrade-insecure-requests', '1'
'user-agent', 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36'
'accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9'
'sec-fetch-site', 'none'
'sec-fetch-mode', 'navigate'
'sec-fetch-user', '?1'
'sec-fetch-dest', 'document'
'accept-encoding', 'gzip, deflate, br'
'accept-language', 'en-US,en;q=0.9'
'x-forwarded-for', '10.215.25.170'
'x-forwarded-proto', 'https'
'x-envoy-internal', 'true'
'x-request-id', '9ee7ff66-1a7f-41be-9c7c-40adf26298de'
'x-envoy-decorator-operation', 'appwebform-service.appwebform.svc.cluster.local:80/*'
'x-envoy-peer-metadata', 'ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwo5CgxJTlNUQU5DRV9JUFMSKRonMTcyLjMwLjIxNi4zMyxmZTgwOjo2YzkyOmI2ZmY6ZmU3Zjo2MTY2CpYCCgZMQUTFMSiwIqiAIKHQoDYXBwEhYaFGlzdGlvLWluZ3Jlc3NnYXRld2F5ChMKBWNoYXJ0EgoaCGdhdGV3YXlzChQKCGhll0YWdlEggaBlRpbGxlcgoZCgVpc3RpbxIQGg5pbmdyZXNzZ2F0ZXdheQohChFwb2QtdGVtcGxhdGUtaGFzaBIMGgo4Njc5OGRiZmY4ChIKB3JlbGVhc2USBxoFaXNW8KOQofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIWGhRpc3Rpby1pbmdyZXNzZ2F0ZXdheQovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKGgoHTUVTSF9JRBIPGg1jbHVzdGVyLmxvY2FsCi8KBE5BTUUSJxolaXN0aW8taWcmVzc2dhdGV3YXktODY3OThkYmZmOC04Zm44ZAobCglOQU1FU1BBQ0UhoMaXN0aW8tc3lzdGVtCl0KBU9XTkVSElQaUmt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9pc3Rpby1zeXN0ZW0vZGVwbG95bWVudHMvaXN0aW8taW5ncmVzc2dhdGV3YXkKOQoPU0VSVklDRV9BQ0NPVU5UEiYaJGlzdGlvLWluZ3Jlc3NnYXRld2F5LXNlcnZpY2UtYWNjb3VudAonCg1XJLTE9BRF9OQU1FEhYaFGlzdGlvLWluZ3Jlc3NnYXRld2F5'
'x-envoy-peer-metadata-id', 'router~172.30.216.33~istio-ingressgateway-86798dbff8-8fn8d.istio-system~istio-system.svc.cluster.local'
'x-envoy-attempt-count', '1'
'x-b3-traceid', 'f3137deae108f6f2f3bb869c7f8c1468'
'x-b3-spanid', 'f3bb869c7f8c1468'
'x-b3-sampled', '0'
'content-length', '0'

2020-09-30T22:50:58.290123Z	debug	envoy http	[C747][S6519292591854974172] request end stream
2020-09-30T22:50:58.290228Z	debug	envoy jwt	Called Filter : setDecoderFilterCallbacks
2020-09-30T22:50:58.290351Z	debug	envoy jwt	Called Filter : decodeHeaders
2020-09-30T22:50:58.290362Z	debug	envoy jwt	Prefix requirement '/' matched.
2020-09-30T22:50:58.290374Z	debug	envoy jwt	extract authorizationBearer 
2020-09-30T22:50:58.290383Z	debug	envoy jwt	origins-0: JWT authentication starts (allow_failed=false), tokens size=0
2020-09-30T22:50:58.290389Z	debug	envoy jwt	origins-0: JWT token verification completed with: Jwt is missing
2020-09-30T22:50:58.290403Z	debug	envoy jwt	Called AllowMissingVerifierImpl.verify : verify
2020-09-30T22:50:58.290408Z	debug	envoy jwt	extract authorizationBearer 
2020-09-30T22:50:58.290413Z	debug	envoy jwt	_IS_ALLOW_MISSING_: JWT authentication starts (allow_failed=false), tokens size=0
2020-09-30T22:50:58.290416Z	debug	envoy jwt	_IS_ALLOW_MISSING_: JWT token verification completed with: Jwt is missing
2020-09-30T22:50:58.290422Z	debug	envoy jwt	Called Filter : check complete OK
2020-09-30T22:50:58.290474Z	debug	envoy filter	AuthenticationFilter::decodeHeaders with config
policy {
  peers {
    mtls {
      mode: PERMISSIVE
    }
  }
  origins {
    jwt {
      issuer: "https://keycloak.example.com/auth/realms/istio"
    }
  }
  origin_is_optional: true
  principal_binding: USE_ORIGIN
}
skip_validate_trust_domain: true

2020-09-30T22:50:58.290500Z	debug	envoy filter	[C747] validateX509 mode PERMISSIVE: ssl=true, has_user=true
2020-09-30T22:50:58.290505Z	debug	envoy filter	[C747] trust domain validation skipped
2020-09-30T22:50:58.290509Z	debug	envoy filter	Set peer from X509: cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account
2020-09-30T22:50:58.290518Z	debug	envoy filter	Validating request path / for jwt issuer: "https://keycloak.example.com/auth/realms/istio"

2020-09-30T22:50:58.290524Z	debug	envoy filter	No dynamic_metadata found for filter envoy.filters.http.jwt_authn
2020-09-30T22:50:58.290528Z	debug	envoy filter	No dynamic_metadata found for filter jwt-auth
2020-09-30T22:50:58.290531Z	debug	envoy filter	Origin authenticator failed
2020-09-30T22:50:58.290585Z	debug	envoy filter	Saved Dynamic Metadata:
fields {
  key: "source.namespace"
  value {
    string_value: "istio-system"
  }
}
fields {
  key: "source.principal"
  value {
    string_value: "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"
  }
}
fields {
  key: "source.user"
  value {
    string_value: "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"
  }
}

2020-09-30T22:50:58.290668Z	debug	envoy rbac	checking request: requestedServerName: outbound_.80_._.appwebform-service.appwebform.svc.cluster.local, sourceIP: 172.30.216.33:39150, directRemoteIP: 172.30.216.33:39150, remoteIP: 10.215.25.170:0,localAddress: 172.30.218.100:80, ssl: uriSanPeerCertificate: spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account, dnsSanPeerCertificate: , subjectPeerCertificate: , headers: ':authority', 'appwebform.example.com'
':path', '/'
':method', 'GET'
'cache-control', 'max-age=0'
'upgrade-insecure-requests', '1'
'user-agent', 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36'
'accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9'
'sec-fetch-site', 'none'
'sec-fetch-mode', 'navigate'
'sec-fetch-user', '?1'
'sec-fetch-dest', 'document'
'accept-encoding', 'gzip, deflate, br'
'accept-language', 'en-US,en;q=0.9'
'x-forwarded-for', '10.215.25.170'
'x-forwarded-proto', 'https'
'x-request-id', '9ee7ff66-1a7f-41be-9c7c-40adf26298de'
'x-envoy-attempt-count', '1'
'x-b3-traceid', 'f3137deae108f6f2f3bb869c7f8c1468'
'x-b3-spanid', 'f3bb869c7f8c1468'
'x-b3-sampled', '0'
'content-length', '0'
'x-envoy-internal', 'true'
'x-forwarded-client-cert', 'By=spiffe://cluster.local/ns/appwebform/sa/default;Hash=45344697d73a89b728012dc151ff07d6a20791833cf4b74a470e66f3aaf4cb45;Subject="";URI=spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account'
, dynamicMetadata: filter_metadata {
  key: "istio_authn"
  value {
    fields {
      key: "source.namespace"
      value {
        string_value: "istio-system"
      }
    }
    fields {
      key: "source.principal"
      value {
        string_value: "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"
      }
    }
    fields {
      key: "source.user"
      value {
        string_value: "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"
      }
    }
  }
}

2020-09-30T22:50:58.290696Z	debug	envoy rbac	enforced denied
2020-09-30T22:50:58.290703Z	debug	envoy http	[C747][S6519292591854974172] Sending local reply with details rbac_access_denied
2020-09-30T22:50:58.290759Z	debug	envoy http	[C747][S6519292591854974172] encoding headers via codec (end_stream=false):
':status', '403'
'content-length', '19'
'content-type', 'text/plain'
'x-envoy-peer-metadata', 'ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwo5CgxJTlNUQU5DRV9JUFMSKRonMTcyLjMwLjIxOC4xMDAsZmU4MDo6Y2M5OmJmZmY6ZmVjYzoxYzY4CvgCCgZMQUJFTFMS7QIq6gIKIQoDYXBwEhoaGGt1YmUta3ljLWRhdGFzZXQtd2ViZm9ybQopCgVjaGFydBIgGh5rdWJlLWt5Yy1kYXRhc2V0LXdlYmZvcm0tMS4wLjAKEgoIaGVyaXRhZ2USBhoESGVsbQoZCgxpc3Rpby5pby9yZXYSCRoHZGVmYXVsdAChFwb2QtdGVtcGxhdGUtaGFzaBIgo2NWM3NTVmNzhiCiUKB3JlbGVhc2USGhoYa3ViZS1reWMtZGF0YXNldC13ZWJmb3JtCiQKGXNlY3VyaXR5LmlzdGlvLmlvL3Rsc01vZGUSBxoFaXN0aW8KPQc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIaGhhrdWJlLWt5Yy1kYXRhc2V0LXdlYmZvcm0KKwojc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtcmV2aXNpb24SBBoCdjEKDwoHdmVyc2lvbhIEGgJ2MQoaCgdNRVNIX0lEEg8aDWNsdXN0ZXIubG9jYWwKPgTkFNRRI2GjRrdWJlLWt5Yy1kYXRhc2V0LXdlYmZvcm0tZGVwbG95bWVudC02NWM3NTVmNzhiLTJ2Y2toCicKCU5BTUVTUEFDRRIaGhhrdWJlLWt5Yy1kYXRhc2V0LXdlYmZvcm0KeAoFT1dORVISbxpta3ViZXJuZXRlczovL2FwaXMvYXBwcy92MS9uYW1lc3BhY2VzL2t1YmUta3ljLWRhdGFzZXQtd2ViZm9ybS9kZXBsb3ltZW50cy9rdWJlLWt5Yy1kYXRhc2V0LXdlYmZvcm0tZGVwbG95bWVudAocCg9TRVJWSUNFX0FDQ09VTlQSCRoHZGVmYXVsdAo2Cg1XTLTE9BRF9OQU1FEiUaI2t1YmUta3ljLWRhdGFzZXQtd2ViZm9ybS1kZXBsb3ltZW50'
'x-envoy-peer-metadata-id', 'sidecar~172.30.218.100~appwebform-deployment-65c755f78b-2vckh.appwebform~appwebform.svc.cluster.local'
'date', 'Wed, 30 Sep 2020 22:50:57 GMT'
'server', 'istio-envoy'

2020-09-30T22:50:58.290810Z	debug	envoy jwt	Called Filter : onDestroy
2020-09-30T22:50:58.290816Z	debug	envoy filter	Called AuthenticationFilter : onDestroy
2020-09-30T22:50:58.290946Z	debug	envoy wasm	wasm log: [extensions/stats/plugin.cc:609]::report() metricKey cache hit , stat=12
2020-09-30T22:50:58.290975Z	debug	envoy wasm	wasm log: [extensions/stats/plugin.cc:609]::report() metricKey cache hit , stat=6
2020-09-30T22:50:58.290981Z	debug	envoy wasm	wasm log: [extensions/stats/plugin.cc:609]::report() metricKey cache hit , stat=10
2020-09-30T22:50:58.290987Z	debug	envoy wasm	wasm log: [extensions/stats/plugin.cc:609]::report() metricKey cache hit , stat=14
2020-09-30T22:50:58.417910Z	debug	envoy http	[C747] new stream
2020-09-30T22:50:58.418106Z	debug	envoy http	[C747][S3780791924704176796] request headers complete (end_stream=true):
':authority', 'appwebform.example.com'
':path', '/favicon.ico'
':method', 'GET'
'user-agent', 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36'
'accept', 'image/avif,image/webp,image/apng,image/*,*/*;q=0.8'
'sec-fetch-site', 'same-origin'
'sec-fetch-mode', 'no-cors'
'sec-fetch-dest', 'image'
'referer', 'https://appwebform.example.com/'
'accept-encoding', 'gzip, deflate, br'
'accept-language', 'en-US,en;q=0.9'
'x-forwarded-for', '10.215.25.170'
'x-forwarded-proto', 'https'
'x-envoy-internal', 'true'
'x-request-id', 'c7030a4d-9d44-4395-a77a-7ce6c38789d7'
'x-envoy-decorator-operation', 'appwebform-service.appwebform.svc.cluster.local:80/*'
'x-envoy-peer-metadata', 'ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwo5CgxJTlNUQU5DRV9JUFMSKRonMTcyLjMwLjIxNi4zMyxmZTgwOjo2YzkyOmI2ZmY6ZmU3Zjo2MTY2CpYCCgZMQUJFMSiwIqiAIKHQoDYXBwEhYaFGlzdGlvLWluZ3Jlc3NnYXRld2F5ChMKBWNoYXJ0EgoaCGdhdGV3YXlzChQKCGhlcml0YWdlEggaBlRpbGxlcgoZCgVpc3RpbxIQGgbmdyZXNzZ2F0ZXdheQohChFwb2QtdGVtcGxhdGUtaGFzaBIMGgo4Njc5OGRiZmY4ChIKB3JlbGVhc2USBxoFaXN0aW8KOQofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIWGhRpc3Rpby1pbmdyZXNzZ2F0ZXdheQovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKGgoHTUVTSF9JIPGg1jbHVzdGVyLmxvY2FsCi8KBE5BTUUSJxolaXN0aW8taW5ncmVzc2dhdGV3YXktODY3OThkYmZmOC04Zm44ZAobCglOQU1FU1BBQ0USDhoMaXN0aW8tc3lzdGVtCl0KBU9XTkVSElQaUmt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9pc3Rpby1zeXN0ZW0vZGVwbG95bWVudHMvaXN0aW8taW5ncmVzc2dhdGV3YXkKOQoPU0VSVklDRV9BQPVU5UEiYaJGlzdGlvLWluZ3Jlc3NnYXRld2F5LXNlcnZpY2UtYWNjb3VudAonCg1XT1JLTE9BRF9OQU1FEhYaFGlzdGlvLWluZ3Jlc3NnYXRld2F5'
'x-envoy-peer-metadata-id', 'router~172.30.216.33~istio-ingressgateway-86798dbff8-8fn8d.istio-system~istio-system.svc.cluster.local'
'x-envoy-attempt-count', '1'
'x-b3-traceid', '09ad482c28859c1617246f025f6a26b1'
'x-b3-spanid', '17246f025f6a26b1'
'x-b3-sampled', '0'
'content-length', '0'

2020-09-30T22:50:58.418129Z	debug	envoy http	[C747][S3780791924704176796] request end stream
2020-09-30T22:50:58.418222Z	debug	envoy jwt	Called Filter : setDecoderFilterCallbacks
2020-09-30T22:50:58.418322Z	debug	envoy jwt	Called Filter : decodeHeaders
2020-09-30T22:50:58.418343Z	debug	envoy jwt	Prefix requirement '/' matched.
2020-09-30T22:50:58.418356Z	debug	envoy jwt	extract authorizationBearer 
2020-09-30T22:50:58.418366Z	debug	envoy jwt	origins-0: JWT authentication starts (allow_failed=false), tokens size=0
2020-09-30T22:50:58.418372Z	debug	envoy jwt	origins-0: JWT token verification completed with: Jwt is missing
2020-09-30T22:50:58.418378Z	debug	envoy jwt	Called AllowMissingVerifierImpl.verify : verify
2020-09-30T22:50:58.418382Z	debug	envoy jwt	extract authorizationBearer 
2020-09-30T22:50:58.418387Z	debug	envoy jwt	_IS_ALLOW_MISSING_: JWT authentication starts (allow_failed=false), tokens size=0
2020-09-30T22:50:58.418390Z	debug	envoy jwt	_IS_ALLOW_MISSING_: JWT token verification completed with: Jwt is missing
2020-09-30T22:50:58.418396Z	debug	envoy jwt	Called Filter : check complete OK
2020-09-30T22:50:58.418444Z	debug	envoy filter	AuthenticationFilter::decodeHeaders with config
policy {
  peers {
    mtls {
      mode: PERMISSIVE
    }
  }
  origins {
    jwt {
      issuer: "https://keycloak.example.com/auth/realms/istio"
    }
  }
  origin_is_optional: true
  principal_binding: USE_ORIGIN
}
skip_validate_trust_domain: true

2020-09-30T22:50:58.418468Z	debug	envoy filter	[C747] validateX509 mode PERMISSIVE: ssl=true, has_user=true
2020-09-30T22:50:58.418496Z	debug	envoy filter	[C747] trust domain validation skipped
2020-09-30T22:50:58.418508Z	debug	envoy filter	Set peer from X509: cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account
2020-09-30T22:50:58.418520Z	debug	envoy filter	Validating request path /favicon.ico for jwt issuer: "https://keycloak.example.com/auth/realms/istio"

2020-09-30T22:50:58.418540Z	debug	envoy filter	No dynamic_metadata found for filter envoy.filters.http.jwt_authn
2020-09-30T22:50:58.418545Z	debug	envoy filter	No dynamic_metadata found for filter jwt-auth
2020-09-30T22:50:58.418549Z	debug	envoy filter	Origin authenticator failed
2020-09-30T22:50:58.418605Z	debug	envoy filter	Saved Dynamic Metadata:
fields {
  key: "source.namespace"
  value {
    string_value: "istio-system"
  }
}
fields {
  key: "source.principal"
  value {
    string_value: "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"
  }
}
fields {
  key: "source.user"
  value {
    string_value: "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"
  }
}

2020-09-30T22:50:58.418686Z	debug	envoy rbac	checking request: requestedServerName: outbound_.80_._.appwebform-service.appwebform.svc.cluster.local, sourceIP: 172.30.216.33:39150, directRemoteIP: 172.30.216.33:39150, remoteIP: 10.215.25.170:0,localAddress: 172.30.218.100:80, ssl: uriSanPeerCertificate: spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account, dnsSanPeerCertificate: , subjectPeerCertificate: , headers: ':authority', 'appwebform.example.com'
':path', '/favicon.ico'
':method', 'GET'
'user-agent', 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36'
'accept', 'image/avif,image/webp,image/apng,image/*,*/*;q=0.8'
'sec-fetch-site', 'same-origin'
'sec-fetch-mode', 'no-cors'
'sec-fetch-dest', 'image'
'referer', 'https://appwebform.example.com/'
'accept-encoding', 'gzip, deflate, br'
'accept-language', 'en-US,en;q=0.9'
'x-forwarded-for', '10.215.25.170'
'x-forwarded-proto', 'https'
'x-request-id', 'c7030a4d-9d44-4395-a77a-7ce6c38789d7'
'x-envoy-attempt-count', '1'
'x-b3-traceid', '09ad482c28859c1617246f025f6a26b1'
'x-b3-spanid', '17246f025f6a26b1'
'x-b3-sampled', '0'
'content-length', '0'
'x-envoy-internal', 'true'
'x-forwarded-client-cert', 'By=spiffe://cluster.local/ns/appwebform/sa/default;Hash=45344697d73a8928012dc151ff07d6a20791833cf4ba470e66f3aaf4cb45;Subject="";URI=spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account'
, dynamicMetadata: filter_metadata {
  key: "istio_authn"
  value {
    fields {
      key: "source.namespace"
      value {
        string_value: "istio-system"
      }
    }
    fields {
      key: "source.principal"
      value {
        string_value: "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"
      }
    }
    fields {
      key: "source.user"
      value {
        string_value: "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"
      }
    }
  }
}

2020-09-30T22:50:58.418716Z	debug	envoy rbac	enforced denied
2020-09-30T22:50:58.418723Z	debug	envoy http	[C747][S3780791924704176796] Sending local reply with details rbac_access_denied
2020-09-30T22:50:58.418783Z	debug	envoy http	[C747][S3780791924704176796] encoding headers via codec (end_stream=false):
':status', '403'
'content-length', '19'
'content-type', 'text/plain'
'x-envoy-peer-metadata', 'ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwo5CgxJTlNUQU5DRV9JUFMSKRonMTcyLjMwLjIxOC4xMDAsZmU4MDo6Y2M5OmJmZmY6ZmVjYzoxYzY4CvgCCgZMQUJFTFMS7QIq6gIKIQoDYXBwEhoaGGt1YmUta3ljLWRhdGFzZXQtd2ViZm9ybQopCgVjaGFydBIgGh5WJlLWt5Yy1kYXRhc2V0LXdlYmZvcm0tMS4wLjAKEgoIaGVyaXRhZ2USBhoESGVsbQoZCgxpc3Rpby5pby9yZXYSCRoHZGVmYXVsdAohChFwb2QtdGVtcGxhdGUtaGFzaBIMGgo2NWM3NTVmNzhiCiUKB3JlbGVhc2USGhoYa3ViZS1reWMtZGF0YXNldC13ZWJmb3JtCiQKGXNlY3VyaXR5LmlzdGlvLmlvL3Rsc01vZGUSBxoFaXN0aW8KPQofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIaGhhrdWJlLWt5Yy1kYXRhc2V0LXdlYmZvcm0KKwojc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtcmV2aXNpb24SBBoCdjEKDwoHdmVyc2lvbhIEGgJ2MQoaCgdNRVNIX0lEEg8aDWNsdXN0ZXIubG9jYWwKPgoETkFNRRI2GjRrdWJlLWt5Yy1kYXRhV0LXdlYmZvcm0tZGVwbG95bWVud2NWM3NTVmNzhiLTJ2Y2toCicKCU5BTUVTUEFDRRIaGhhrdWJlLWt5Yy1kYXRhc2V0LXdlYmZvcm0KeAoFT1dORVISbxpta3ViZXJuZXRlczovL2FwaXMvYXBwcy92MS9uYW1lc3BhY2VzL2t1YmUta3ljLWRhdGFzZXQtd2ViZm9ybS9kZXBsb3ltZW50cy9rdWJlLWt5Yy1kYXRhc2V0LXdlYmZvcmZGVwbG95bWVudAocCg9TRVJWSUNFX0FDQ09VTlQSCRoHZGVmYXVsdAo2Cg1XT1JLTE9BRF9OQU1FEiUaI2t1YmUta3ljLWRhdGFzZXQtd2ViZm9ybS1kZXBsb3ltZW50'
'x-envoy-peer-metadata-id', 'sidecar~172.30.218.100~appwebform-deployment-65c755f78b-2vckh.appwebform~appwebform.svc.cluster.local'
'date', 'Wed, 30 Sep 2020 22:50:58 GMT'
'server', 'istio-envoy'

The text was updated successfully, but these errors were encountered:

y0zg · 2020-10-01T10:05:54Z

Trying to change the version here didn't help
https://github.com/dgn/oidc-filter/blob/master/example/envoyfilter.yaml#L11

y0zg · 2020-10-01T14:33:58Z

It seems this is the root cause https://istio.io/latest/news/releases/1.7.x/announcing-1.7/upgrade-notes/#envoyfilter-syntax-change

dgn · 2020-10-01T16:43:03Z

Thanks for the pointer! I'll look at 1.7 support soon

y0zg · 2020-10-02T13:00:29Z

Managed to fix this by adding

 configuration: 
                  "@type": "type.googleapis.com/google.protobuf.StringValue"
                  value: |

This example is sufficient to check
k get EnvoyFilter -n istio-system tcp-stats-filter-1.7 -o yaml

dgn · 2020-10-02T13:19:21Z

Nice! Please feel free to submit a PR that updates support to 1.7

marcbachmann · 2021-03-19T18:10:54Z

This should be fixed on master with #7

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

RBAC: access denied with istio 1.7 #5

RBAC: access denied with istio 1.7 #5

y0zg commented Sep 30, 2020

y0zg commented Oct 1, 2020

y0zg commented Oct 1, 2020

dgn commented Oct 1, 2020

y0zg commented Oct 2, 2020

dgn commented Oct 2, 2020

marcbachmann commented Mar 19, 2021

RBAC: access denied with istio 1.7 #5

RBAC: access denied with istio 1.7 #5

Comments

y0zg commented Sep 30, 2020

y0zg commented Oct 1, 2020

y0zg commented Oct 1, 2020

dgn commented Oct 1, 2020

y0zg commented Oct 2, 2020

dgn commented Oct 2, 2020

marcbachmann commented Mar 19, 2021