diff --git a/_docs/concepts/security/rbac.md b/_docs/concepts/security/rbac.md
index b4d38898cc..00b76315a7 100644
--- a/_docs/concepts/security/rbac.md
+++ b/_docs/concepts/security/rbac.md
@@ -98,7 +98,8 @@ Here is an example of a simple role "service-admin", which has full access to al
        methods: ["*"]
 ```
 
-Here is another role "products-viewer", which has read ("GET" and "HEAD") access to "products" service in "default" namespace.
+Here is another role "products-viewer", which has read ("GET" and "HEAD") access to service "products.default.svc.cluster.local"
+in "default" namespace.
 
 ```rule
    apiVersion: "config.istio.io/v1alpha2"
@@ -108,7 +109,7 @@ Here is another role "products-viewer", which has read ("GET" and "HEAD") access
      namespace: default
    spec:
      rules:
-     - services: ["products"]
+     - services: ["products.default.svc.cluster.local"]
        methods: ["GET", "HEAD"]
 ```
 
@@ -116,7 +117,7 @@ In addition, we support **prefix match** and **suffix match** for all the fields
 has the following permissions in "default" namespace:
 * Full access to all services with prefix "test-" (e.g, "test-bookstore", "test-performance", "test-api.default.svc.cluster.local").
 * Read ("GET") access to all paths with "/reviews" suffix (e.g, "/books/reviews", "/events/booksale/reviews", "/reviews")
-in "bookstore" service.
+in service "bookstore.default.svc.cluster.local".
 
 ```rule
    apiVersion: "config.istio.io/v1alpha2"
@@ -128,7 +129,7 @@ in "bookstore" service.
      rules:
      - services: ["test-*"]
        methods: ["*"]
-     - services: ["bookstore"]
+     - services: ["bookstore.default.svc.cluster.local"]
        paths: ["*/reviews"]
        methods: ["GET"]
 ```
@@ -149,7 +150,7 @@ being "v1" or "v2". Note that the "version" property is provided by `"action.pro
      namespace: default
    spec:
      rules:
-     - services: ["products"]
+     - services: ["products.default.svc.cluster.local"]
        methods: ["GET", "HEAD"]
        constraints:
        - key: "version"
@@ -168,7 +169,7 @@ instance.
 
 Here is an example of ServiceRoleBinding object "test-binding-products", which binds two subjects to ServiceRole "product-viewer":
 * user "alice@yahoo.com".
-* "reviews" service in "abc" namespace.
+* "reviews.abc.svc.cluster.local" service in "abc" namespace.
 
 ```rule
    apiVersion: "config.istio.io/v1alpha2"
@@ -180,7 +181,7 @@ Here is an example of ServiceRoleBinding object "test-binding-products", which b
      subjects:
      - user: "alice@yahoo.com"
      - properties:
-         service: "reviews"
+         service: "reviews.abc.svc.cluster.local"
          namespace: "abc"
      roleRef:
        kind: ServiceRole
diff --git a/_docs/tasks/security/role-based-access-control.md b/_docs/tasks/security/role-based-access-control.md
index 0275aa6422..fad46f8c65 100644
--- a/_docs/tasks/security/role-based-access-control.md
+++ b/_docs/tasks/security/role-based-access-control.md
@@ -67,9 +67,11 @@ Run the following command to enable Istio RBAC for "default" namespace.
 
 
 ```bash
-kubectl apply -f samples/bookinfo/kube/istio-rbac-enable.yaml
+istioctl create -f samples/bookinfo/kube/istio-rbac-enable.yaml
 ```
 
+  > Note: if you have conflicting rules that you set in previous tasks, use `istioctl replace` instead of `istioctl create`.
+
 It also defines "requestcontext", which is an instance of the
 [authorization template](https://github.com/istio/istio/blob/master/mixer/template/authorization/template.proto).
 "requestcontext" defines the input to the RBAC engine at runtime.
@@ -92,7 +94,7 @@ is accessible by services in the same namespace (i.e., "default" namespace) and
 
 Run the following command to create a namespace-level access control policy.
 ```bash
-kubectl apply -f samples/bookinfo/kube/istio-rbac-namespace.yaml
+istioctl create -f samples/bookinfo/kube/istio-rbac-namespace.yaml
 ```
 
 The policy does the following:
@@ -151,7 +153,7 @@ with "Book Details" section in the lower left part and "Book Reviews" section in
 Remove the following configuration before you proceed to the next task:
 
 ```bash
-kubectl delete -f samples/bookinfo/kube/istio-rbac-namespace.yaml
+istioctl delete -f samples/bookinfo/kube/istio-rbac-namespace.yaml
 ```
 
 ## Service-level access control
@@ -170,7 +172,7 @@ In this step, we will create a policy that allows external requests to view `pro
 
 Run the following command:
 ```bash
-kubectl apply -f samples/bookinfo/kube/istio-rbac-productpage.yaml
+istioctl create -f samples/bookinfo/kube/istio-rbac-productpage.yaml
 ```
 
 The policy does the following:
@@ -184,7 +186,7 @@ The policy does the following:
     namespace: default
   spec:
     rules:
-    - services: ["productpage"]
+    - services: ["productpage.default.svc.cluster.local"]
       methods: ["GET"]
   ```
 
@@ -219,7 +221,7 @@ We will create a policy to allow "productpage" service to read "details" and "re
 
 Run the following command:
 ```bash
-kubectl apply -f samples/bookinfo/kube/istio-rbac-details-reviews.yaml
+istioctl create -f samples/bookinfo/kube/istio-rbac-details-reviews.yaml
 ```
 
 The policy does the following:
@@ -233,7 +235,7 @@ The policy does the following:
     namespace: default
   spec:
     rules:
-    - services: ["details", "reviews"]
+    - services: ["details.default.svc.cluster.local", "reviews.default.svc.cluster.local"]
       methods: ["GET"]
   ```
 
@@ -272,7 +274,7 @@ We will create a policy to allow "reviews" service to read "ratings" service. No
 Run the following command to create a policy that allows "reviews" service to read "ratings" service.
 
 ```bash
-kubectl apply -f samples/bookinfo/kube/istio-rbac-ratings.yaml
+istioctl create -f samples/bookinfo/kube/istio-rbac-ratings.yaml
 ```
 
 The policy does the following:
@@ -286,7 +288,7 @@ The policy does the following:
     namespace: default
   spec:
     rules:
-    - services: ["ratings"]
+    - services: ["ratings.default.svc.cluster.local"]
       methods: ["GET"]
   ```
 
@@ -336,9 +338,9 @@ spec:
 * Remove Istio RBAC policy configuration:
 
   ```bash
-  kubectl delete -f samples/bookinfo/kube/istio-rbac-ratings.yaml
-  kubectl delete -f samples/bookinfo/kube/istio-rbac-details-reviews.yaml
-  kubectl delete -f samples/bookinfo/kube/istio-rbac-productpage.yaml
+  istioctl delete -f samples/bookinfo/kube/istio-rbac-ratings.yaml
+  istioctl delete -f samples/bookinfo/kube/istio-rbac-details-reviews.yaml
+  istioctl delete -f samples/bookinfo/kube/istio-rbac-productpage.yaml
   ```
 
   Alternatively, you can delete all ServiceRole and ServiceRoleBinding objects by running the following commands:
@@ -351,7 +353,7 @@ spec:
 * Disable Istio RBAC:
 
   ```bash
-  kubectl delete -f samples/bookinfo/kube/istio-rbac-enable.yaml
+  istioctl delete -f samples/bookinfo/kube/istio-rbac-enable.yaml
   ```
 
 ## What's next