istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Istio RBAC doc fix. (#1093)

This commit is contained in:
Limin Wang 2018-03-23 14:55:27 -07:00 committed by GitHub
parent bdaadeefd3
commit 9bcbc3394c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 23 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
_docs/concepts/security/rbac.md
View File

@ -98,7 +98,8 @@ Here is an example of a simple role "service-admin", which has full access to al
methods: ["*"] methods: ["*"]
``` ```
Here is another role "products-viewer", which has read ("GET" and "HEAD") access to "products" service in "default" namespace. Here is another role "products-viewer", which has read ("GET" and "HEAD") access to service "products.default.svc.cluster.local"
in "default" namespace.
```rule ```rule
apiVersion: "config.istio.io/v1alpha2" apiVersion: "config.istio.io/v1alpha2"
@ -108,7 +109,7 @@ Here is another role "products-viewer", which has read ("GET" and "HEAD") access
namespace: default namespace: default
spec: spec:
rules: rules:
- services: ["products"] - services: ["products.default.svc.cluster.local"]
methods: ["GET", "HEAD"] methods: ["GET", "HEAD"]
``` ```
@ -116,7 +117,7 @@ In addition, we support **prefix match** and **suffix match** for all the fields
has the following permissions in "default" namespace: has the following permissions in "default" namespace:
* Full access to all services with prefix "test-" (e.g, "test-bookstore", "test-performance", "test-api.default.svc.cluster.local"). * Full access to all services with prefix "test-" (e.g, "test-bookstore", "test-performance", "test-api.default.svc.cluster.local").
* Read ("GET") access to all paths with "/reviews" suffix (e.g, "/books/reviews", "/events/booksale/reviews", "/reviews") * Read ("GET") access to all paths with "/reviews" suffix (e.g, "/books/reviews", "/events/booksale/reviews", "/reviews")
in "bookstore" service. in service "bookstore.default.svc.cluster.local".
```rule ```rule
apiVersion: "config.istio.io/v1alpha2" apiVersion: "config.istio.io/v1alpha2"
@ -128,7 +129,7 @@ in "bookstore" service.
rules: rules:
- services: ["test-*"] - services: ["test-*"]
methods: ["*"] methods: ["*"]
- services: ["bookstore"] - services: ["bookstore.default.svc.cluster.local"]
paths: ["*/reviews"] paths: ["*/reviews"]
methods: ["GET"] methods: ["GET"]
``` ```
@ -149,7 +150,7 @@ being "v1" or "v2". Note that the "version" property is provided by `"action.pro
namespace: default namespace: default
spec: spec:
rules: rules:
- services: ["products"] - services: ["products.default.svc.cluster.local"]
methods: ["GET", "HEAD"] methods: ["GET", "HEAD"]
constraints: constraints:
- key: "version" - key: "version"
@ -168,7 +169,7 @@ instance.
Here is an example of ServiceRoleBinding object "test-binding-products", which binds two subjects to ServiceRole "product-viewer": Here is an example of ServiceRoleBinding object "test-binding-products", which binds two subjects to ServiceRole "product-viewer":
* user "alice@yahoo.com". * user "alice@yahoo.com".
* "reviews" service in "abc" namespace. * "reviews.abc.svc.cluster.local" service in "abc" namespace.
```rule ```rule
apiVersion: "config.istio.io/v1alpha2" apiVersion: "config.istio.io/v1alpha2"
@ -180,7 +181,7 @@ Here is an example of ServiceRoleBinding object "test-binding-products", which b
subjects: subjects:
- user: "alice@yahoo.com" - user: "alice@yahoo.com"
- properties: - properties:
service: "reviews" service: "reviews.abc.svc.cluster.local"
namespace: "abc" namespace: "abc"
roleRef: roleRef:
kind: ServiceRole kind: ServiceRole

28
_docs/tasks/security/role-based-access-control.md
View File

@ -67,9 +67,11 @@ Run the following command to enable Istio RBAC for "default" namespace.
```bash ```bash
kubectl apply -f samples/bookinfo/kube/istio-rbac-enable.yaml istioctl create -f samples/bookinfo/kube/istio-rbac-enable.yaml
``` ```
> Note: if you have conflicting rules that you set in previous tasks, use `istioctl replace` instead of `istioctl create`.
It also defines "requestcontext", which is an instance of the It also defines "requestcontext", which is an instance of the
[authorization template](https://github.com/istio/istio/blob/master/mixer/template/authorization/template.proto). [authorization template](https://github.com/istio/istio/blob/master/mixer/template/authorization/template.proto).
"requestcontext" defines the input to the RBAC engine at runtime. "requestcontext" defines the input to the RBAC engine at runtime.
@ -92,7 +94,7 @@ is accessible by services in the same namespace (i.e., "default" namespace) and
Run the following command to create a namespace-level access control policy. Run the following command to create a namespace-level access control policy.
```bash ```bash
kubectl apply -f samples/bookinfo/kube/istio-rbac-namespace.yaml istioctl create -f samples/bookinfo/kube/istio-rbac-namespace.yaml
``` ```
The policy does the following: The policy does the following:
@ -151,7 +153,7 @@ with "Book Details" section in the lower left part and "Book Reviews" section in
Remove the following configuration before you proceed to the next task: Remove the following configuration before you proceed to the next task:
```bash ```bash
kubectl delete -f samples/bookinfo/kube/istio-rbac-namespace.yaml istioctl delete -f samples/bookinfo/kube/istio-rbac-namespace.yaml
``` ```
## Service-level access control ## Service-level access control
@ -170,7 +172,7 @@ In this step, we will create a policy that allows external requests to view `pro
Run the following command: Run the following command:
```bash ```bash
kubectl apply -f samples/bookinfo/kube/istio-rbac-productpage.yaml istioctl create -f samples/bookinfo/kube/istio-rbac-productpage.yaml
``` ```
The policy does the following: The policy does the following:
@ -184,7 +186,7 @@ The policy does the following:
namespace: default namespace: default
spec: spec:
rules: rules:
- services: ["productpage"] - services: ["productpage.default.svc.cluster.local"]
methods: ["GET"] methods: ["GET"]
``` ```
@ -219,7 +221,7 @@ We will create a policy to allow "productpage" service to read "details" and "re
Run the following command: Run the following command:
```bash ```bash
kubectl apply -f samples/bookinfo/kube/istio-rbac-details-reviews.yaml istioctl create -f samples/bookinfo/kube/istio-rbac-details-reviews.yaml
``` ```
The policy does the following: The policy does the following:
@ -233,7 +235,7 @@ The policy does the following:
namespace: default namespace: default
spec: spec:
rules: rules:
- services: ["details", "reviews"] - services: ["details.default.svc.cluster.local", "reviews.default.svc.cluster.local"]
methods: ["GET"] methods: ["GET"]
``` ```
@ -272,7 +274,7 @@ We will create a policy to allow "reviews" service to read "ratings" service. No
Run the following command to create a policy that allows "reviews" service to read "ratings" service. Run the following command to create a policy that allows "reviews" service to read "ratings" service.
```bash ```bash
kubectl apply -f samples/bookinfo/kube/istio-rbac-ratings.yaml istioctl create -f samples/bookinfo/kube/istio-rbac-ratings.yaml
``` ```
The policy does the following: The policy does the following:
@ -286,7 +288,7 @@ The policy does the following:
namespace: default namespace: default
spec: spec:
rules: rules:
- services: ["ratings"] - services: ["ratings.default.svc.cluster.local"]
methods: ["GET"] methods: ["GET"]
``` ```
@ -336,9 +338,9 @@ spec:
* Remove Istio RBAC policy configuration: * Remove Istio RBAC policy configuration:
```bash ```bash
kubectl delete -f samples/bookinfo/kube/istio-rbac-ratings.yaml istioctl delete -f samples/bookinfo/kube/istio-rbac-ratings.yaml
kubectl delete -f samples/bookinfo/kube/istio-rbac-details-reviews.yaml istioctl delete -f samples/bookinfo/kube/istio-rbac-details-reviews.yaml
kubectl delete -f samples/bookinfo/kube/istio-rbac-productpage.yaml istioctl delete -f samples/bookinfo/kube/istio-rbac-productpage.yaml
``` ```
Alternatively, you can delete all ServiceRole and ServiceRoleBinding objects by running the following commands: Alternatively, you can delete all ServiceRole and ServiceRoleBinding objects by running the following commands:
@ -351,7 +353,7 @@ spec:
* Disable Istio RBAC: * Disable Istio RBAC:
```bash ```bash
kubectl delete -f samples/bookinfo/kube/istio-rbac-enable.yaml istioctl delete -f samples/bookinfo/kube/istio-rbac-enable.yaml
``` ```
## What's next ## What's next