istio: Upgrade Istio version and stop using deprecated Istio RBAC policy

[thesuperzapper]

We really need to remove our dependency on these resource as they are removed in Istio 1.6:

• ClusterRbacConfig
  • found in: ./istio/istio/base
• ServiceRole
  • found in: ./istio-1-3-1/istio-install-1-3-1/base
• ServiceRoleBinding
  • found in: ./istio-1-3-1/istio-install-1-3-1/base

---

Also note: there is an unused folder stacks/kubeflow/application/istio in most of the provider stacks.

For example, we dont target it in: kfctl_k8s_istio.v1.1.0.yaml, kfctl_istio_dex.v1.1.0.yaml

This is good, because it currently sets clusterRbacConfig=ON which is not valid and would need to be clusterRbacConfig=ON_WITH_EXCLUSION.

[issue-label-bot]

Issue-Label Bot is automatically applying the labels:

Label	Probability
kind/bug	0.56
area/istio	0.78

Please mark this comment with 👍 or 👎 to give our bot feedback!
Links: app homepage, dashboard and code for this bot.

[thesuperzapper]

People who might be interested: @krishnadurai @lluunn @swiftdiaries

This is an important issue, as we will start seeing more and more users with Istio 1.6 already installed on their K8S, which will mean they are unable to install Kubeflow.

[swiftdiaries]

I think going forward from istio 1.6, we might possibly look at updating just the Istio related manifests (post-Istio install ones). I'm seeing users installing Istio with istioctl or the operator. And considering the divergence with the networking setup across different providers/clusters and the associated Istio installation process, we won't be able to support every variation.

I'm thinking a istio/istio-1-6-1 directory and that would hold all the manifests to be installed post-Istio installation would work.

[jtfogarty]

/priority p1

[connorlwilkes]

Yes this would be very useful for my use case. Profile Controller also has this issue in that it uses v1alpha1 RBAC Istio API that is removed in 1.6+ (see kubeflow/kubeflow#5301).

[thesuperzapper]

This is extremely relevant to the discussion about separating non-Kubeflow manifests (like istio) into the responsibility of 'distributions'.

See the discussion in Issue: #1554

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in one week if no further activity occurs. Thank you for your contributions.

[thesuperzapper]

Bump

[yanniszark]

Will be tackled as part of wg-manifests work for v1.3: https://github.com/kubeflow/community/tree/master/wg-manifests
In this case, I believe upgrading the Istio manifests would address the issue.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in one week if no further activity occurs. Thank you for your contributions.

[thesuperzapper]

This issue was resolved by #1778
/close

[google-oss-robot]

@thesuperzapper: Closing this issue.

In response to this:

This issue was resolved by #1778
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.