TIS0105 - Specified Service Account Cannot Be Found for Principal
The specified Service Account cannot be found for this principal.
To ensure policies are effective, make sure that the referenced Service Accounts exist in the specified namespace and are correctly formatted. This prevents misconfigurations that could lead to unintended behavior.
Examples
-
AuthorizationPolicy
with Non-Existent Service AccountapiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: service-account-auth-policy
namespace: example-namespace
spec:
rules:
- from:
- source:
principals: ["cluster.local/ns/example-namespace/sa/non-existent-service-account"]Explanation: The
AuthorizationPolicy
references a Service Accountnon-existent-service-account
inexample-namespace
, but this Service Account does not exist, making the rule ineffective. -
PeerAuthentication
with Incorrect Service Account FormatapiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: incorrect-service-account-peer-auth
namespace: example-namespace
spec:
selector:
matchLabels:
app: my-service
mtls:
mode: STRICT
portLevelMtls:
8080:
clientCertificate: "/var/run/secrets/kubernetes.io/serviceaccount/non-existent-service-account"Explanation: The Service Account specified for the
clientCertificate
field does not exist or is incorrectly referenced, causing issues with mTLS communication.
Recommendation
Correct the principal to refer to an existing Service Account, ensuring it is in the correct format and free of typographical errors.
-
Specify an Existing Service Account
Update the principal in the policy to refer to an existing Service Account in the correct format.
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: service-account-auth-policy
namespace: example-namespace
spec:
rules:
- from:
- source:
principals: ["cluster.local/ns/example-namespace/sa/existing-service-account"] -
Create the Missing Service Account
If the Service Account is intended to exist, create it before applying the policy.
apiVersion: v1
kind: ServiceAccount
metadata:
name: non-existent-service-account
namespace: example-namespace -
Ensure Correct Service Account Format
Verify that the Service Account is referenced in the correct format:
cluster.local/ns/<namespace>/sa/<service-account-name>
.apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: service-account-auth-policy
namespace: example-namespace
spec:
rules:
- from:
- source:
principals: ["cluster.local/ns/example-namespace/sa/existing-service-account"]