istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Istio RBAC doc fix. (#1093)

This commit is contained in:
Limin Wang 2018-03-23 14:55:27 -07:00 committed by GitHub
parent bdaadeefd3
commit 9bcbc3394c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 23 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
_docs/concepts/security/rbac.md
View File

@ -98,7 +98,8 @@ Here is an example of a simple role "service-admin", which has full access to al
methods: ["*"]
```
Here is another role "products-viewer", which has read ("GET" and "HEAD") access to "products" service in "default" namespace.
Here is another role "products-viewer", which has read ("GET" and "HEAD") access to service "products.default.svc.cluster.local"
in "default" namespace.
```rule
apiVersion: "config.istio.io/v1alpha2"
@ -108,7 +109,7 @@ Here is another role "products-viewer", which has read ("GET" and "HEAD") access
namespace: default
spec:
rules:
- services: ["products"]
- services: ["products.default.svc.cluster.local"]
methods: ["GET", "HEAD"]
```
@ -116,7 +117,7 @@ In addition, we support **prefix match** and **suffix match** for all the fields
has the following permissions in "default" namespace:
* Full access to all services with prefix "test-" (e.g, "test-bookstore", "test-performance", "test-api.default.svc.cluster.local").
* Read ("GET") access to all paths with "/reviews" suffix (e.g, "/books/reviews", "/events/booksale/reviews", "/reviews")
in "bookstore" service.
in service "bookstore.default.svc.cluster.local".
```rule
apiVersion: "config.istio.io/v1alpha2"
@ -128,7 +129,7 @@ in "bookstore" service.
rules:
- services: ["test-*"]
methods: ["*"]
- services: ["bookstore"]
- services: ["bookstore.default.svc.cluster.local"]
paths: ["*/reviews"]
methods: ["GET"]
```
@ -149,7 +150,7 @@ being "v1" or "v2". Note that the "version" property is provided by `"action.pro
namespace: default
spec:
rules:
- services: ["products"]
- services: ["products.default.svc.cluster.local"]
methods: ["GET", "HEAD"]
constraints:
- key: "version"
@ -168,7 +169,7 @@ instance.
Here is an example of ServiceRoleBinding object "test-binding-products", which binds two subjects to ServiceRole "product-viewer":
* user "alice@yahoo.com".
* "reviews" service in "abc" namespace.
* "reviews.abc.svc.cluster.local" service in "abc" namespace.
```rule
apiVersion: "config.istio.io/v1alpha2"
@ -180,7 +181,7 @@ Here is an example of ServiceRoleBinding object "test-binding-products", which b
subjects:
- user: "alice@yahoo.com"
- properties:
service: "reviews"
service: "reviews.abc.svc.cluster.local"
namespace: "abc"
roleRef:
kind: ServiceRole

28
_docs/tasks/security/role-based-access-control.md
View File

@ -67,9 +67,11 @@ Run the following command to enable Istio RBAC for "default" namespace.
```bash
kubectl apply -f samples/bookinfo/kube/istio-rbac-enable.yaml
istioctl create -f samples/bookinfo/kube/istio-rbac-enable.yaml
```
> Note: if you have conflicting rules that you set in previous tasks, use `istioctl replace` instead of `istioctl create`.
It also defines "requestcontext", which is an instance of the
[authorization template](https://github.com/istio/istio/blob/master/mixer/template/authorization/template.proto).
"requestcontext" defines the input to the RBAC engine at runtime.
@ -92,7 +94,7 @@ is accessible by services in the same namespace (i.e., "default" namespace) and
Run the following command to create a namespace-level access control policy.
```bash
kubectl apply -f samples/bookinfo/kube/istio-rbac-namespace.yaml
istioctl create -f samples/bookinfo/kube/istio-rbac-namespace.yaml
```
The policy does the following:
@ -151,7 +153,7 @@ with "Book Details" section in the lower left part and "Book Reviews" section in
Remove the following configuration before you proceed to the next task:
```bash
kubectl delete -f samples/bookinfo/kube/istio-rbac-namespace.yaml
istioctl delete -f samples/bookinfo/kube/istio-rbac-namespace.yaml
```
## Service-level access control
@ -170,7 +172,7 @@ In this step, we will create a policy that allows external requests to view `pro
Run the following command:
```bash
kubectl apply -f samples/bookinfo/kube/istio-rbac-productpage.yaml
istioctl create -f samples/bookinfo/kube/istio-rbac-productpage.yaml
```
The policy does the following:
@ -184,7 +186,7 @@ The policy does the following:
namespace: default
spec:
rules:
- services: ["productpage"]
- services: ["productpage.default.svc.cluster.local"]
methods: ["GET"]
```
@ -219,7 +221,7 @@ We will create a policy to allow "productpage" service to read "details" and "re
Run the following command:
```bash
kubectl apply -f samples/bookinfo/kube/istio-rbac-details-reviews.yaml
istioctl create -f samples/bookinfo/kube/istio-rbac-details-reviews.yaml
```
The policy does the following:
@ -233,7 +235,7 @@ The policy does the following:
namespace: default
spec:
rules:
- services: ["details", "reviews"]
- services: ["details.default.svc.cluster.local", "reviews.default.svc.cluster.local"]
methods: ["GET"]
```
@ -272,7 +274,7 @@ We will create a policy to allow "reviews" service to read "ratings" service. No
Run the following command to create a policy that allows "reviews" service to read "ratings" service.
```bash
kubectl apply -f samples/bookinfo/kube/istio-rbac-ratings.yaml
istioctl create -f samples/bookinfo/kube/istio-rbac-ratings.yaml
```
The policy does the following:
@ -286,7 +288,7 @@ The policy does the following:
namespace: default
spec:
rules:
- services: ["ratings"]
- services: ["ratings.default.svc.cluster.local"]
methods: ["GET"]
```
@ -336,9 +338,9 @@ spec:
* Remove Istio RBAC policy configuration:
```bash
kubectl delete -f samples/bookinfo/kube/istio-rbac-ratings.yaml
kubectl delete -f samples/bookinfo/kube/istio-rbac-details-reviews.yaml
kubectl delete -f samples/bookinfo/kube/istio-rbac-productpage.yaml
istioctl delete -f samples/bookinfo/kube/istio-rbac-ratings.yaml
istioctl delete -f samples/bookinfo/kube/istio-rbac-details-reviews.yaml
istioctl delete -f samples/bookinfo/kube/istio-rbac-productpage.yaml
```
Alternatively, you can delete all ServiceRole and ServiceRoleBinding objects by running the following commands:
@ -351,7 +353,7 @@ spec:
* Disable Istio RBAC:
```bash
kubectl delete -f samples/bookinfo/kube/istio-rbac-enable.yaml
istioctl delete -f samples/bookinfo/kube/istio-rbac-enable.yaml
```
## What's next