RBAC

Istio RBAC (Role Based Access Control) defines ServiceRole and ServiceRoleBinding objects.

A ServiceRole specification includes a list of rules (permissions). Each rule has the following standard fields:

  • services: a list of services.
  • methods: HTTP methods. In the case of gRPC, this field is ignored because the value is always “POST”.
  • paths: HTTP paths or gRPC methods. Note that gRPC methods should be presented in the form of “/packageName.serviceName/methodName” and are case sensitive.

In addition to the standard fields, operators can also use custom keys in the constraints field, the supported keys are listed in the “constraints and properties” page.

Below is an example of ServiceRole object “product-viewer”, which has “read” (“GET” and “HEAD”) access to “products.svc.cluster.local” service at versions “v1” and “v2”. “path” is not specified, so it applies to any path in the service.

apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
  name: products-viewer
  namespace: default
spec:
  rules:
  - services: ["products.svc.cluster.local"]
    methods: ["GET", "HEAD"]
    constraints:
    - key: "destination.labels[version]"
      value: ["v1", "v2"]

A ServiceRoleBinding specification includes two parts:

  • The roleRef field that refers to a ServiceRole object in the same namespace.
  • A list of subjects that are assigned the roles.

In addition to a simple user field, operators can also use custom keys in the properties field, the supported keys are listed in the “constraints and properties” page.

Below is an example of ServiceRoleBinding object “test-binding-products”, which binds two subjects to ServiceRole “product-viewer”:

  • User “alice@yahoo.com”
  • Services in “abc” namespace.
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
  name: test-binding-products
  namespace: default
spec:
  subjects:
  - user: alice@yahoo.com
  - properties:
      source.namespace: "abc"
  roleRef:
    kind: ServiceRole
    name: "products-viewer"

AccessRule

AccessRule defines a permission to access a list of services.

FieldTypeDescription
servicesstring[]

Required. A list of service names. Exact match, prefix match, and suffix match are supported for service names. For example, the service name “bookstore.mtv.cluster.local” matches “bookstore.mtv.cluster.local” (exact match), or “bookstore” (prefix match), or “.mtv.cluster.local” (suffix match). If set to [“*”], it refers to all services in the namespace.

pathsstring[]

Optional. A list of HTTP paths or gRPC methods. gRPC methods must be presented as fully-qualified name in the form of “/packageName.serviceName/methodName” and are case sensitive. Exact match, prefix match, and suffix match are supported for paths. For example, the path “/books/review” matches “/books/review” (exact match), or “/books/” (prefix match), or “/review” (suffix match). If not specified, it applies to any path.

methodsstring[]

Optional. A list of HTTP methods (e.g., “GET”, “POST”). It is ignored in gRPC case because the value is always “POST”. If set to [“*”] or not specified, it applies to any method.

constraintsAccessRule.Constraint[]

Optional. Extra constraints in the ServiceRole specification. The above ServiceRole example shows an example of constraint “version”.

AccessRule.Constraint

Definition of a custom constraint. The supported keys are listed in the “constraint and properties” page.

FieldTypeDescription
keystring

Key of the constraint.

valuesstring[]

List of valid values for the constraint. Exact match, prefix match, and suffix match are supported for constraint values. For example, the value “v1alpha2” matches “v1alpha2” (exact match), or “v1” (prefix match), or “alpha2” (suffix match).

RbacConfig

RbacConfig defines the global config to control Istio RBAC behavior. This Custom Resource is a singleton where only one Custom Resource should be created globally in the mesh and the namespace should be the same to other Istio components, which usually is istio-system. Note: This is enforced in both istioctl and server side, new Custom Resource will be rejected if found any existing one, the user should either delete the existing one or change the existing one directly.

Below is an example of RbacConfig object “istio-rbac-config” which enables Istio RBAC for all services in the default namespace.

apiVersion: "rbac.istio.io/v1alpha1"
kind: RbacConfig
metadata:
  name: default
  namespace: istio-system
spec:
  mode: ON_WITH_INCLUSION
  inclusion:
    namespaces: [ "default" ]
FieldTypeDescription
modeRbacConfig.Mode

Istio RBAC mode.

inclusionRbacConfig.Target

A list of services or namespaces that should be enforced by Istio RBAC policies. Note: This field have effect only when mode is ONWITHINCLUSION and will be ignored for any other modes.

exclusionRbacConfig.Target

A list of services or namespaces that should not be enforced by Istio RBAC policies. Note: This field have effect only when mode is ONWITHEXCLUSION and will be ignored for any other modes.

RbacConfig.Mode

NameDescription
OFF

Disable Istio RBAC completely, any other config in RbacConfig will be ignored and Istio RBAC policies will not be enforced.

ON

Enable Istio RBAC for all services and namespaces.

ON_WITH_INCLUSION

Enable Istio RBAC only for services and namespaces specified in the inclusion field. Any other services and namespaces not in the inclusion field will not be enforced by Istio RBAC policies.

ON_WITH_EXCLUSION

Enable Istio RBAC for all services and namespaces except those specified in the exclusion field. Any other services and namespaces not in the exclusion field will be enforced by Istio RBAC policies.

RbacConfig.Target

Target defines a list of services or namespaces.

FieldTypeDescription
servicesstring[]

A list of services.

namespacesstring[]

A list of namespaces.

RoleRef

RoleRef refers to a role object.

FieldTypeDescription
kindstring

Required. The type of the role being referenced. Currently, “ServiceRole” is the only supported value for “kind”.

namestring

Required. The name of the ServiceRole object being referenced. The ServiceRole object must be in the same namespace as the ServiceRoleBinding object.

ServiceRole

ServiceRole specification contains a list of access rules (permissions). This represent the “Spec” part of the ServiceRole object. The name and namespace of the ServiceRole is specified in “metadata” section of the ServiceRole object.

FieldTypeDescription
rulesAccessRule[]

Required. The set of access rules (permissions) that the role has.

ServiceRoleBinding

ServiceRoleBinding assigns a ServiceRole to a list of subjects. This represents the “Spec” part of the ServiceRoleBinding object. The name and namespace of the ServiceRoleBinding is specified in “metadata” section of the ServiceRoleBinding object.

FieldTypeDescription
subjectsSubject[]

Required. List of subjects that are assigned the ServiceRole object.

roleRefRoleRef

Required. Reference to the ServiceRole object.

Subject

Subject defines an identity. The identity is either a user or identified by a set of properties. The supported keys in properties are listed in “constraint and properties” page.

FieldTypeDescription
userstring

Optional. The user name/ID that the subject represents.

propertiesmap<string, string>

Optional. The set of properties that identify the subject. The above ServiceRoleBinding example shows an example of property “source.namespace”.