Skip to main content
logoTetrate Istio SubscriptionVersion: Next

TIS0105 - Specified Service Account Cannot Be Found for Principal

The specified Service Account cannot be found for this principal.

Recommendation: Ensure Specified Service Accounts Exist and are Correctly Referenced

To ensure policies are effective, make sure that the referenced Service Accounts exist in the specified namespace and are correctly formatted. This prevents misconfigurations that could lead to unintended behavior.

Examples

  1. AuthorizationPolicy with Non-Existent Service Account

    apiVersion: security.istio.io/v1beta1
    kind: AuthorizationPolicy
    metadata:
      name: service-account-auth-policy
      namespace: example-namespace
    spec:
      rules:
      - from:
        - source:
            principals: ["cluster.local/ns/example-namespace/sa/non-existent-service-account"]

    Explanation: The AuthorizationPolicy references a Service Account non-existent-service-account in example-namespace, but this Service Account does not exist, making the rule ineffective.

  2. PeerAuthentication with Incorrect Service Account Format

    apiVersion: security.istio.io/v1beta1
    kind: PeerAuthentication
    metadata:
      name: incorrect-service-account-peer-auth
      namespace: example-namespace
    spec:
      selector:
        matchLabels:
          app: my-service
      mtls:
        mode: STRICT
      portLevelMtls:
        8080:
          clientCertificate: "/var/run/secrets/kubernetes.io/serviceaccount/non-existent-service-account"

    Explanation: The Service Account specified for the clientCertificate field does not exist or is incorrectly referenced, causing issues with mTLS communication.

Recommendation

Correct the principal to refer to an existing Service Account, ensuring it is in the correct format and free of typographical errors.

  1. Specify an Existing Service Account

    Update the principal in the policy to refer to an existing Service Account in the correct format.

    apiVersion: security.istio.io/v1beta1
    kind: AuthorizationPolicy
    metadata:
      name: service-account-auth-policy
      namespace: example-namespace
    spec:
      rules:
      - from:
        - source:
            principals: ["cluster.local/ns/example-namespace/sa/existing-service-account"]

  2. Create the Missing Service Account

    If the Service Account is intended to exist, create it before applying the policy.

    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: non-existent-service-account
      namespace: example-namespace

  3. Ensure Correct Service Account Format

    Verify that the Service Account is referenced in the correct format: cluster.local/ns/<namespace>/sa/<service-account-name>.

    apiVersion: security.istio.io/v1beta1
    kind: AuthorizationPolicy
    metadata:
      name: service-account-auth-policy
      namespace: example-namespace
    spec:
      rules:
      - from:
        - source:
            principals: ["cluster.local/ns/example-namespace/sa/existing-service-account"]