RealTheory runs as a service account in your Kubernetes cluster. By default, the RealTheory Collector has read-only RBAC permissions for a limited set of API groups. If your environment uses non-standard API groups such as the networking.istio.io network group, Kubernetes will deny access requests from the RealTheory Collector and generate an audit event for each failed request. These events typically appear as Forbidden errors in logs and audit records and indicate that access was blocked due to insufficient permissions.
…cannot list resource \"sidecars\" in API group \"networking.istio.io\" in the namespace…
To augment the RBAC permissions within the RealTheory Collector deployment manifest, you must add a ClusterRole to the ClusterRole section of the RealTheory deployment manifest.
1 # The cluster role grants read only access to key API groups.2 apiVersion: rbac.authorization.k8s.io/v13 kind: ClusterRole4 metadata:5 name: object-reader6 rules:7apiGroups: [""]8 resources: ["*"]9 verbs: [get, watch, list]10apiGroups: [apps]11 resources: ["*"]12 verbs: [get, watch, list]13apiGroups: [metrics.k8s.io]14 resources: ["*"]15 verbs: [get, watch, list]16apiGroups: [storage.k8s.io]17 resources: ["*"]18 verbs: [get, watch, list]19apiGroups: [apiextensions.k8s.io]20 resources: ["*"]21 verbs: [get, watch, list]
1- apiGroups: [networking.istio.io]2 resources: ["*"]3 verbs: [get, watch, list]
kubectl apply -f <filename.yaml>Search for a command to run...