Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Image Update] Istioctl or the whole istio release package? #462

Open
surajssd opened this issue Aug 12, 2024 · 5 comments
Open

[Image Update] Istioctl or the whole istio release package? #462

surajssd opened this issue Aug 12, 2024 · 5 comments
Labels
Tool_change This is related to updating an existing Cloud Shell tool

Comments

@surajssd
Copy link
Member

surajssd commented Aug 12, 2024
edited
Loading

I see that Istio is installed using the official release from Github. Is the whole release needed or is it just the istioctl binary that's needed?
@mbifeld mbifeld added the Tool_change This is related to updating an existing Cloud Shell tool label Aug 13, 2024
@surajssd
Copy link
Member Author

If there isn't enough demand for istioctl, then we will remove istio from the CloudShell in another two weeks.

@kartikjoshi21
Copy link
Contributor

Following along with few more vuln are detected by trivy scanner over multiple scans on base image related to istio

1. ClusterRole 'istiod-clusterrole-' shouldn't have access to manage resource 'secrets'  
2. ClusterRole 'istiod-clusterrole-' shouldn't manage all resource
3. ClusterRole 'istiod-clusterrole-' should not have access to resources ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"]  
4. ClusterRole 'istio-reader-clusterrole-' shouldn't have access to manage resource 'secrets'  
5. ClusterRole 'istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}' shouldn't have access to manage resource 'secrets'  
6. ClusterRole 'istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}' should not have access to resources ["roles", "rolebindings"] for verbs ["create", "update", "delete", "deletecollection", "impersonate", "*"]

@shahriaak
Copy link

@kartikjoshi21 We are using istioctl command for istio debugging. Kindly do not remove it. :)

@surajssd
Copy link
Member Author

@shahriaak is it just istioctl or there is more that you use in there? We would like to learn more about your use case.

@darrentu darrentu mentioned this issue Oct 4, 2024
Open
@GabrielAlacchi
Copy link

GabrielAlacchi commented Oct 28, 2024
edited
Loading

We are currently using istioctl from time to time in cloudshell to debug istio related issues that come up in AKS clusters that are using the mesh addon. We would like to keep it there for ease of debugging, however if there is a route to easily install it in a fresh cloudshell session then it's not necessarily mandatory to keep around.

My team is Microsoft 1P, so feel free to reach out to learn more about our use case @surajssd.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Tool_change This is related to updating an existing Cloud Shell tool
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@surajssd @kartikjoshi21 @GabrielAlacchi @mbifeld @shahriaak