Contents x
      How To Resolve RealTheory Authorization Errors for the networking.istio.io API Group
      • 16 Feb 2025
      • 1 Minute to read
      • Contributors
      • Print
      • Dark
        Light
      Contents

      How To Resolve RealTheory Authorization Errors for the networking.istio.io API Group

      • Updated on 16 Feb 2025
      • 1 Minute to read
      • Contributors
      • Print
      • Dark
        Light
      Article summary

      Background

      RealTheory runs as a service account in your Kubernetes cluster. By default, the RealTheory Collector has read-only RBAC permissions for a limited set of API groups. If your environment uses non-standard API groups such as the networking.istio.io network group, Kubernetes will deny access requests from the RealTheory Collector and generate an audit event for each failed request. These events typically appear as Forbidden errors in logs and audit records and indicate that access was blocked due to insufficient permissions.

      Example Audit Record Snippet

      …cannot list resource \"sidecars\" in API group \"networking.istio.io\" in the namespace…

      Solution

      To augment the RBAC permissions within the RealTheory Collector deployment manifest, you must add a ClusterRole to the ClusterRole section of the RealTheory deployment manifest.

      Procedure

      1. Locate the original deployment manifest, or regenerate the manifest from the RealTheory console in Settings > Agent > Deployment.

        Important: If you regenerate the manifest, ensure that you configure each option such as the cluster name, the cloud account identifier, the account owner, and the labels correctly to ensure consistency.

      2. Locate the cluster role grant section of the manifest:

        # The cluster role grants read only access to key API groups.  
apiVersion: rbac.authorization.k8s.io/v1  
kind: ClusterRole  
metadata:  
 name: object-reader  
rules:  
- apiGroups: [""]  
  resources: ["*"]  
  verbs: [get, watch, list]  
- apiGroups: [apps]  
  resources: ["*"]  
  verbs: [get, watch, list]  
- apiGroups: [metrics.k8s.io]  
  resources: ["*"]  
  verbs: [get, watch, list]  
- apiGroups: [storage.k8s.io]  
  resources: ["*"]  
  verbs: [get, watch, list]  
- apiGroups: [apiextensions.k8s.io]  
  resources: ["*"]  
  verbs: [get, watch, list]

      3. Add the following lines to the cluster role grant section of the deployment manifest:

        - apiGroups: [networking.istio.io]  
  resources: ["*"]  
  verbs: [get, watch, list]

      4. Save your changes.

      5. Re-apply the manifest by running the following command:

        kubectl apply -f <filename.yaml>

      Was this article helpful?
      What's Next
      RealTheory logo
      • The Kubernetes Intelligence Platform
      Support
      Follow Us
      Copyright © RealTheory, Inc. All Rights Reserved