我的书签
添加书签
移除书签RBAC
A ServiceRole specification includes a list of rules (permissions). Each rule hasthe following standard fields:
- methods: A list of HTTP methods. You can set the value to to include all HTTP methods.This field should not be set for TCP services. The policy will be ignored.For gRPC services, only
POSTis allowed; other methods will result in denying services. - paths: HTTP paths or gRPC methods. Note that gRPC methods should bepresented in the form of “/packageName.serviceName/methodName” and are case sensitive.In addition to the standard fields, operators can also use custom keys in the
constraintsfield,the supported keys are listed in the “constraints and properties” page.
Below is an example of ServiceRole object “product-viewer”, which has “read” (“GET” and “HEAD”)access to “products.svc.cluster.local” service at versions “v1” and “v2”. “path” is not specified,so it applies to any path in the service.
A ServiceRoleBinding specification includes two parts:
- The
roleReffield that refers to a ServiceRole object in the same namespace. - A list of
subjectsthat are assigned the roles.In addition to a simpleuserfield, operators can also use custom keys in thepropertiesfield,the supported keys are listed in the “constraints and properties” page.
- Services in “abc” namespace.
AccessRule defines a permission to access a list of services.
AccessRule.Constraint
Definition of a custom constraint. The supported keys are listed in the “constraint and properties” page.
| Field | Type | Description | Required |
|---|---|---|---|
key | Key of the constraint. | No | |
values | string[] | List of valid values for the constraint.Exact match, prefix match, and suffix match are supported.For example, the value “v1alpha2” matches “v1alpha2” (exact match),or “v1” (prefix match), or “alpha2” (suffix match). | No |
RbacConfig
RbacConfig implements the ClusterRbacConfig Custom Resource Definition for controlling Istio RBAC behavior.The ClusterRbacConfig Custom Resource is a singleton where only one ClusterRbacConfig should be createdglobally in the mesh and the namespace should be the same to other Istio components, which usually is istio-system.
| Field | Type | Description | Required |
|---|---|---|---|
mode | Mode | Istio RBAC mode. | No |
inclusion | | A list of services or namespaces that should be enforced by Istio RBAC policies. Note: This field haveeffect only when mode is ON_WITH_INCLUSION and will be ignored for any other modes. | No |
exclusion | Target | A list of services or namespaces that should not be enforced by Istio RBAC policies. Note: This field haveeffect only when mode is ON_WITH_EXCLUSION and will be ignored for any other modes. | No |
RbacConfig.Target
Target defines a list of services or namespaces.
| Field | Type | Description | Required |
|---|---|---|---|
services | A list of services. | No | |
namespaces | string[] | A list of namespaces. | No |
RoleRef
RoleRef refers to a role object.
| Field | Type | Description | Required |
|---|---|---|---|
kind | string | The type of the role being referenced.Currently, “ServiceRole” is the only supported value for “kind”. | Yes |
name | string | The name of the ServiceRole object being referenced.The ServiceRole object must be in the same namespace as the ServiceRoleBinding object. | Yes |
ServiceRole specification contains a list of access rules (permissions).
ServiceRoleBinding
| Field | Type | Description | Required |
|---|---|---|---|
subjects | Subject[] | List of subjects that are assigned the ServiceRole object. | Yes |
roleRef | | Reference to the ServiceRole object. | Yes |
Subject
Subject defines an identity. The identity is either a user or identified by a set of properties.The supported keys in properties are listed in “constraint and properties” page.
| Field | Type | Description | Required |
|---|---|---|---|
user | string | Optional. The user name/ID that the subject represents. | No |
map<string, string> | Optional. The set of properties that identify the subject. | No |
