CloudShell icon indicating copy to clipboard operation
CloudShell copied to clipboard
verified publisher icon Azure

[Image Update] Istioctl or the whole istio release package?

Open surajssd opened this issue 1 year ago • 4 comments

I see that Istio is installed using the official release from Github. Is the whole release needed or is it just the istioctl binary that's needed?

surajssd avatar Aug 12 '24 22:08 surajssd

If there isn't enough demand for istioctl, then we will remove istio from the CloudShell in another two weeks.

surajssd avatar Aug 28 '24 21:08 surajssd

Following along with few more vuln are detected by trivy scanner over multiple scans on base image related to istio

1. ClusterRole 'istiod-clusterrole-' shouldn't have access to manage resource 'secrets'  
2. ClusterRole 'istiod-clusterrole-' shouldn't manage all resource
3. ClusterRole 'istiod-clusterrole-' should not have access to resources ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"]  
4. ClusterRole 'istio-reader-clusterrole-' shouldn't have access to manage resource 'secrets'  
5. ClusterRole 'istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}' shouldn't have access to manage resource 'secrets'  
6. ClusterRole 'istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}' should not have access to resources ["roles", "rolebindings"] for verbs ["create", "update", "delete", "deletecollection", "impersonate", "*"]

kartikjoshi21 avatar Sep 08 '24 19:09 kartikjoshi21

@kartikjoshi21 We are using istioctl command for istio debugging. Kindly do not remove it. :)

shahriaak avatar Sep 23 '24 20:09 shahriaak

@shahriaak is it just istioctl or there is more that you use in there? We would like to learn more about your use case.

surajssd avatar Sep 27 '24 20:09 surajssd

We are currently using istioctl from time to time in cloudshell to debug istio related issues that come up in AKS clusters that are using the mesh addon. We would like to keep it there for ease of debugging, however if there is a route to easily install it in a fresh cloudshell session then it's not necessarily mandatory to keep around.

My team is Microsoft 1P, so feel free to reach out to learn more about our use case @surajssd.

GabrielAlacchi avatar Oct 28 '24 20:10 GabrielAlacchi

Closing since we are not removing the istio package, also this PR updates the installation process of istioctl: https://github.com/Azure/CloudShell/pull/522

surajssd avatar Feb 27 '25 00:02 surajssd