diff --git a/deploy/addons/istio-provisioner/istio-operator.yaml.tmpl b/deploy/addons/istio-provisioner/istio-operator.yaml.tmpl index 2ac8a34890..270c737527 100644 --- a/deploy/addons/istio-provisioner/istio-operator.yaml.tmpl +++ b/deploy/addons/istio-provisioner/istio-operator.yaml.tmpl @@ -16,6 +16,8 @@ metadata: kubernetes.io/minikube-addons: istio addonmanager.kubernetes.io/mode: EnsureExists spec: + conversion: + strategy: None group: install.istio.io names: kind: IstioOperator @@ -24,13 +26,18 @@ spec: singular: istiooperator shortNames: - iop + - io scope: Namespaced - subresources: - status: {} versions: - name: v1alpha1 served: true storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true ... --- apiVersion: v1 @@ -77,12 +84,6 @@ rules: - '*' verbs: - '*' -- apiGroups: - - rbac.istio.io - resources: - - '*' - verbs: - - '*' - apiGroups: - security.istio.io resources: @@ -111,9 +112,7 @@ rules: - daemonsets - deployments - deployments/finalizers - - ingresses - replicasets - - statefulsets verbs: - '*' - apiGroups: @@ -129,6 +128,7 @@ rules: verbs: - get - create + - update - apiGroups: - policy resources: @@ -144,18 +144,28 @@ rules: - rolebindings verbs: - '*' +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - create + - update - apiGroups: - "" resources: - - configmaps + - configmaps - endpoints - events - namespaces - pods + - pods/proxy + - pods/portforward - persistentvolumeclaims - secrets - services - - serviceaccounts + - serviceaccounts verbs: - '*' ... @@ -191,6 +201,7 @@ spec: - name: http-metrics port: 8383 targetPort: 8383 + protocol: TCP selector: name: istio-operator ... @@ -202,7 +213,7 @@ metadata: name: istio-operator labels: kubernetes.io/minikube-addons: istio - addonmanager.kubernetes.io/mode: Reconcile + addonmanager.kubernetes.io/mode: Reconcile spec: replicas: 1 selector: @@ -222,6 +233,16 @@ spec: command: - operator - server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsUser: 1337 + runAsNonRoot: true imagePullPolicy: IfNotPresent resources: limits: @@ -243,4 +264,6 @@ spec: fieldPath: metadata.name - name: OPERATOR_NAME value: "istio-operator" + - name: WAIT_FOR_RESOURCES_TIMEOUT + value: "300s" ... diff --git a/pkg/minikube/assets/addons.go b/pkg/minikube/assets/addons.go index d97fc1fd4d..40464b9736 100755 --- a/pkg/minikube/assets/addons.go +++ b/pkg/minikube/assets/addons.go @@ -254,7 +254,7 @@ var Addons = map[string]*Addon{ "istio-operator.yaml", "0640"), }, false, "istio-provisioner", "third-party (istio)", map[string]string{ - "IstioOperator": "istio/operator:1.5.0@sha256:25a6398ed4996a5313767ceb63768d503c266f63506ad3074b30eef6b5b5167e", + "IstioOperator": "istio/operator:1.12.2@sha256:42c7609872882cb88728a1592561b4046dac6d05b6002cbdc815b84c86a24f08", }, nil), "istio": NewAddon([]*BinAsset{ MustBinAsset(addons.IstioAssets,