mirror of https://github.com/istio/istio.io.git
154 lines
4.5 KiB
Plaintext
154 lines
4.5 KiB
Plaintext
$snippet enabling_istio_authorization.sh syntax="bash"
|
|
$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/rbac-config-ON.yaml@
|
|
$endsnippet
|
|
|
|
$snippet enforcing_namespace_level_access_control_apply.sh syntax="bash"
|
|
$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/namespace-policy.yaml@
|
|
$endsnippet
|
|
|
|
$snippet enforcing_namespace_level_access_control_apply.sh_output
|
|
servicerole.rbac.istio.io/service-viewer created
|
|
servicerolebinding.rbac.istio.io/bind-service-viewer created
|
|
$endsnippet
|
|
|
|
$snippet enforcing_namespace_level_access_control_delete.sh syntax="bash"
|
|
$ kubectl delete -f @samples/bookinfo/platform/kube/rbac/namespace-policy.yaml@
|
|
$endsnippet
|
|
|
|
$snippet enforcing_namespace_level_access_control_service_viewer.yaml syntax="yaml"
|
|
apiVersion: "rbac.istio.io/v1alpha1"
|
|
kind: ServiceRole
|
|
metadata:
|
|
name: service-viewer
|
|
namespace: default
|
|
spec:
|
|
rules:
|
|
- services: ["*"]
|
|
methods: ["GET"]
|
|
constraints:
|
|
- key: "destination.labels[app]"
|
|
values: ["productpage", "details", "reviews", "ratings"]
|
|
$endsnippet
|
|
|
|
$snippet enforcing_namespace_level_access_control_bind_service_viewer.yaml syntax="yaml"
|
|
apiVersion: "rbac.istio.io/v1alpha1"
|
|
kind: ServiceRoleBinding
|
|
metadata:
|
|
name: bind-service-viewer
|
|
namespace: default
|
|
spec:
|
|
subjects:
|
|
- properties:
|
|
source.namespace: "istio-system"
|
|
- properties:
|
|
source.namespace: "default"
|
|
roleRef:
|
|
kind: ServiceRole
|
|
name: "service-viewer"
|
|
$endsnippet
|
|
|
|
$snippet enforcing_service_level_access_control_step1_apply.sh syntax="bash"
|
|
$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/productpage-policy.yaml@
|
|
$endsnippet
|
|
|
|
$snippet enforcing_service_level_access_control_step1_productpage_viewer.yaml syntax="yaml"
|
|
apiVersion: "rbac.istio.io/v1alpha1"
|
|
kind: ServiceRole
|
|
metadata:
|
|
name: productpage-viewer
|
|
namespace: default
|
|
spec:
|
|
rules:
|
|
- services: ["productpage.default.svc.cluster.local"]
|
|
methods: ["GET"]
|
|
$endsnippet
|
|
|
|
$snippet enforcing_service_level_access_control_step1_bind_productpage_viewer.yaml syntax="yaml"
|
|
apiVersion: "rbac.istio.io/v1alpha1"
|
|
kind: ServiceRoleBinding
|
|
metadata:
|
|
name: bind-productpage-viewer
|
|
namespace: default
|
|
spec:
|
|
subjects:
|
|
- user: "*"
|
|
roleRef:
|
|
kind: ServiceRole
|
|
name: "productpage-viewer"
|
|
$endsnippet
|
|
|
|
$snippet enforcing_service_level_access_control_step2_apply.sh syntax="bash"
|
|
$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/details-reviews-policy.yaml@
|
|
$endsnippet
|
|
|
|
$snippet enforcing_service_level_access_control_step2_details_reviews_viewer.yaml syntax="yaml"
|
|
apiVersion: "rbac.istio.io/v1alpha1"
|
|
kind: ServiceRole
|
|
metadata:
|
|
name: details-reviews-viewer
|
|
namespace: default
|
|
spec:
|
|
rules:
|
|
- services: ["details.default.svc.cluster.local", "reviews.default.svc.cluster.local"]
|
|
methods: ["GET"]
|
|
$endsnippet
|
|
|
|
$snippet enforcing_service_level_access_control_step2_bind_details_reviews.yaml syntax="yaml"
|
|
apiVersion: "rbac.istio.io/v1alpha1"
|
|
kind: ServiceRoleBinding
|
|
metadata:
|
|
name: bind-details-reviews
|
|
namespace: default
|
|
spec:
|
|
subjects:
|
|
- user: "cluster.local/ns/default/sa/bookinfo-productpage"
|
|
roleRef:
|
|
kind: ServiceRole
|
|
name: "details-reviews-viewer"
|
|
$endsnippet
|
|
|
|
$snippet enforcing_service_level_access_control_step3_apply.sh syntax="bash"
|
|
$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/ratings-policy.yaml@
|
|
$endsnippet
|
|
|
|
$snippet enforcing_service_level_access_control_step3_ratings_viewer.yaml syntax="yaml"
|
|
apiVersion: "rbac.istio.io/v1alpha1"
|
|
kind: ServiceRole
|
|
metadata:
|
|
name: ratings-viewer
|
|
namespace: default
|
|
spec:
|
|
rules:
|
|
- services: ["ratings.default.svc.cluster.local"]
|
|
methods: ["GET"]
|
|
$endsnippet
|
|
|
|
$snippet enforcing_service_level_access_control_step3_bind_ratings.yaml syntax="yaml"
|
|
apiVersion: "rbac.istio.io/v1alpha1"
|
|
kind: ServiceRoleBinding
|
|
metadata:
|
|
name: bind-ratings
|
|
namespace: default
|
|
spec:
|
|
subjects:
|
|
- user: "cluster.local/ns/default/sa/bookinfo-reviews"
|
|
roleRef:
|
|
kind: ServiceRole
|
|
name: "ratings-viewer"
|
|
$endsnippet
|
|
|
|
$snippet remove_istio_authorization_policy.sh syntax="bash"
|
|
$ kubectl delete -f @samples/bookinfo/platform/kube/rbac/ratings-policy.yaml@
|
|
$ kubectl delete -f @samples/bookinfo/platform/kube/rbac/details-reviews-policy.yaml@
|
|
$ kubectl delete -f @samples/bookinfo/platform/kube/rbac/productpage-policy.yaml@
|
|
$endsnippet
|
|
|
|
$snippet remove_istio_authorization_policy_alternative.sh syntax="bash"
|
|
$ kubectl delete servicerole --all
|
|
$ kubectl delete servicerolebinding --all
|
|
$endsnippet
|
|
|
|
$snippet disabling_istio_authorization.sh syntax="bash"
|
|
$ kubectl delete -f @samples/bookinfo/platform/kube/rbac/rbac-config-ON.yaml@
|
|
$endsnippet
|