Istio RBAC - v1.1.5 - K8S

bappr · June 5, 2019, 5:56am

Hello,
I am using Istio v1.1.5 on GKE.
I deployed manually Istio using the helm chart and I am trying to setup the RBAC (https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1/).
I have created the ClusterRbacConfig

    apiVersion: "rbac.istio.io/v1alpha1"
    kind: ClusterRbacConfig
    metadata:
      name: default
    spec:
      mode: 'ON'

However I can still access all my services.

I already tried to follow many suggestions:

enable MTLS
create destination rule with ISTIO_MUTUAL (got a code 56 error)
etc.

I am not yet working on ServiceRole/ServiceRoleBinding, what I would like as the moment is to get the Access Denied error if I call any of my services.

Thanks for your help.

philliple · June 6, 2019, 5:41pm

AFAIK, you don’t need to turn on authentication if you just want to see access denied error. Could you try this first and see what went wrong? https://istio.io/help/ops/security/debugging-authorization/

bappr · June 10, 2019, 2:41am

So basically, I tried all of that but nothing worked on my cluster.
Therefore, I tried on a fresh cluster and it works well.
So I guess it’s a config problem on my end. I am gonna dig a bit more.
Thanks!

philliple · June 10, 2019, 5:07pm

Glad it works now

Topic		Replies	Views
Authorization not working Security	12	3000	July 16, 2019
Unable to apply auth to service accounts	14	2315	May 1, 2019
Getting RBAC denied even the servicerolebinding checked to be allowed Security	0	1771	August 6, 2020
An issue with creating an ClusterRbacConfig object Security	5	972	April 3, 2019
Istio 1.8.2. RBAC: access denied. JWT is valid Security security	6	5818	May 4, 2022

Istio RBAC - v1.1.5 - K8S

Related topics