Istio Virtualservice creation access denied

Question

I am trying to create an Istio Virtualservice. However, I am getting the below error, despite me having the cluster-admin role bound to.

UPGRADE FAILED: could not get information about the resource: virtualservices.networking.istio.io "admin-ui" is forbidden: User "vaish@admin" cannot get resource "virtualservices" in API group "networking.istio.io" in the namespace "onboarding"

I also tried to create a new Clusterrole as below and create a binding to my user, which also does not yield any result.

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:  
  name: istio-editor-role
  labels:
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
rules:
- apiGroups: ["config.istio.io", "networking.istio.io", "rbac.istio.io", "authentication.istio.io", "security.istio.io"]
  resources: ["virtualservices"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"

 kubectl create clusterrolebinding istio-editor-binding --clusterrole=istio-editor-role --user=vaish@admin

Answer 1

I had the same problem but I want only to be able to deploy Virtual Services by Helm, no other Istio objects. So I made following ClusterRole and ClusterRoleBinding.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: virtualServiceEditor
rules:
  - apiGroups: ["networking.istio.io"]
    resources: ["virtualservices"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: jenkinsVS
subjects:
  - kind: ServiceAccount
    name: jenkins
    namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: virtualServiceEditor

Answer 2

The solution was to add the user to the cluster-admin role