Merge pull request #13521 from presztak/update_istio_addon_yaml

Update istio addon YAML

deploy/addons/istio-provisioner/istio-operator.yaml.tmpl

@@ -16,6 +16,8 @@ metadata:
     kubernetes.io/minikube-addons: istio
     addonmanager.kubernetes.io/mode: EnsureExists
 spec:
+  conversion:
+    strategy: None
   group: install.istio.io
   names:
     kind: IstioOperator
@@ -24,13 +26,18 @@ spec:
     singular: istiooperator
     shortNames:
     - iop
+    - io
   scope: Namespaced
-  subresources:
-    status: {}
   versions:
   - name: v1alpha1
     served: true
     storage: true
+    subresources:
+      status: {}
+    schema:
+      openAPIV3Schema:
+        type: object
+        x-kubernetes-preserve-unknown-fields: true
 ...
 ---
 apiVersion: v1
@@ -77,12 +84,6 @@ rules:
   - '*'
   verbs:
   - '*'
-- apiGroups:
-  - rbac.istio.io
-  resources:
-  - '*'
-  verbs:
-  - '*'
 - apiGroups:
   - security.istio.io
   resources:
@@ -111,9 +112,7 @@ rules:
   - daemonsets
   - deployments
   - deployments/finalizers
-  - ingresses
   - replicasets
-  - statefulsets
   verbs:
   - '*'
 - apiGroups:
@@ -129,6 +128,7 @@ rules:
   verbs:
   - get
   - create
+  - update
 - apiGroups:
   - policy
   resources:
@@ -144,18 +144,28 @@ rules:
   - rolebindings
   verbs:
   - '*'
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - create
+  - update
 - apiGroups:
   - ""
   resources:
-  - configmaps  
+  - configmaps
   - endpoints
   - events
   - namespaces
   - pods
+  - pods/proxy
+  - pods/portforward
   - persistentvolumeclaims
   - secrets
   - services
-  - serviceaccounts  
+  - serviceaccounts
   verbs:
   - '*'
 ...
@@ -191,6 +201,7 @@ spec:
   - name: http-metrics
     port: 8383
     targetPort: 8383
+    protocol: TCP
   selector:
     name: istio-operator
 ...
@@ -202,7 +213,7 @@ metadata:
   name: istio-operator
   labels:
     kubernetes.io/minikube-addons: istio
-    addonmanager.kubernetes.io/mode: Reconcile 
+    addonmanager.kubernetes.io/mode: Reconcile
 spec:
   replicas: 1
   selector:
@@ -222,6 +233,16 @@ spec:
           command:
           - operator
           - server
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1337
+            runAsUser: 1337
+            runAsNonRoot: true
           imagePullPolicy: IfNotPresent
           resources:
             limits:
@@ -243,4 +264,6 @@ spec:
                   fieldPath: metadata.name
             - name: OPERATOR_NAME
               value: "istio-operator"
+            - name: WAIT_FOR_RESOURCES_TIMEOUT
+              value: "300s"
 ...

pkg/minikube/assets/addons.go

@@ -254,7 +254,7 @@ var Addons = map[string]*Addon{
 			"istio-operator.yaml",
 			"0640"),
 	}, false, "istio-provisioner", "third-party (istio)", map[string]string{
-		"IstioOperator": "istio/operator:1.5.0@sha256:25a6398ed4996a5313767ceb63768d503c266f63506ad3074b30eef6b5b5167e",
+		"IstioOperator": "istio/operator:1.12.2@sha256:42c7609872882cb88728a1592561b4046dac6d05b6002cbdc815b84c86a24f08",
 	}, nil),
 	"istio": NewAddon([]*BinAsset{
 		MustBinAsset(addons.IstioAssets,