Simple question here but I do not find clear answer: does Istio RBAC needs mTLS to be enable?
Because it’s not clearly mentioned (it is being said that you need to have a cluster with strict TLS though).
“strict” TLS is referring to the mTLS mode: https://istio.io/docs/reference/config/istio.authentication.v1alpha1/#MutualTls
Yes RBAC requires mTLS and/or jwt when you need to restrict access to authenticated identities (even namespaces).
To add a bit on this, RBAC could work independently without mTLS/JWT if you don’t use any identities from mTLS/JWT. This is not very common but could still be useful in some cases, for example, you can deny requests based on its source ip or some custom header values.