Consul connect-inject ACL issue

Installing consul 1.10.0 and consul-k8s-control-plane 0.33.0 with the official HashiCorp helm chart on Kubernetes v1.21.2-eks-0389ca3 gives the following error in the connect-inject init container:

Unable to get Agent services: error=“Unexpected response code: 403 (ACL not found)”

manageSystemACLs is set to true

As far as I understand this should be enough to get proxying between services to work. Consul 1.9.4 with consul-k8s 0.25.0 on v1.19.13-eks-8df270 does work with this setting.

Sounds similar to consul-connect-inject-init failing · Issue #625 · hashicorp/consul-k8s · GitHub

According to that issue, it looks like the person that filed the issue didn’t configure a service account:

By default when ACLs are enabled or when ACLs default policy is allow, Consul will automatically configure proxies with all upstreams from the same datacenter. When ACLs are enabled with default deny policy, you must supply an intention to tell Consul which upstream you need to talk to. (ref)