Sure thing! Thanks again for the help … very much appreciated!
Here are the relevant ServiceRoleBindings with redactions. Each binding provides a single service access. The bindings are providing access to other subjects in different namespaces.
apiVersion: v1
items:
- apiVersion: rbac.istio.io/v1alpha1
kind: ServiceRoleBinding
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"rbac.istio.io/v1alpha1","kind":"ServiceRoleBinding","metadata":{"annotations":{},"name":"tcp-echo-access-sleep-c-test-ns","namespace":"a-test-ns"},"spec":{"roleRef":{"kind":"ServiceRole","name":"tcp-echo-access"},"subjects":[{"user":"redacted.trustdomain.com/clustername/ns/c-test-ns/sa/test-sleep-sa"}]}}
creationTimestamp: "2019-09-20T18:56:51Z"
generation: 1
name: tcp-echo-access-sleep-c-test-ns
namespace: a-test-ns
resourceVersion: "6454183"
selfLink: /apis/rbac.istio.io/v1alpha1/namespaces/a-test-ns/servicerolebindings/tcp-echo-access-sleep-c-test-ns
uid: 681b37e4-dbd8-11e9-a557-a0423f35e8da
spec:
roleRef:
kind: ServiceRole
name: tcp-echo-access
subjects:
- user: redacted.trustdomain.com/clustername/ns/c-test-ns/sa/test-sleep-sa
- apiVersion: rbac.istio.io/v1alpha1
kind: ServiceRoleBinding
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"rbac.istio.io/v1alpha1","kind":"ServiceRoleBinding","metadata":{"annotations":{},"name":"tcp-echo-access-sleep-a-test-ns","namespace":"a-test-ns"},"spec":{"roleRef":{"kind":"ServiceRole","name":"tcp-echo-access"},"subjects":[{"user":"redacted.trustdomain.com/clustername/ns/a-test-ns/sa/test-sleep-sa"}]}}
creationTimestamp: "2019-09-20T18:56:53Z"
generation: 1
name: tcp-echo-access-sleep-a-test-ns
namespace: a-test-ns
resourceVersion: "6454190"
selfLink: /apis/rbac.istio.io/v1alpha1/namespaces/a-test-ns/servicerolebindings/tcp-echo-access-sleep-a-test-ns
uid: 68ffb653-dbd8-11e9-b5af-a0423f37743c
spec:
roleRef:
kind: ServiceRole
name: tcp-echo-access
subjects:
- user: redacted.trustdomain.com/clustername/ns/a-test-ns/sa/test-sleep-sa
- apiVersion: rbac.istio.io/v1alpha1
kind: ServiceRoleBinding
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"rbac.istio.io/v1alpha1","kind":"ServiceRoleBinding","metadata":{"annotations":{},"name":"tcp-echo-access-sleep-b-test-ns","namespace":"a-test-ns"},"spec":{"roleRef":{"kind":"ServiceRole","name":"tcp-echo-access"},"subjects":[{"user":"redacted.trustdomain.com/clustername/ns/b-test-ns/sa/test-sleep-sa"}]}}
creationTimestamp: "2019-09-20T18:56:50Z"
generation: 1
name: tcp-echo-access-sleep-b-test-ns
namespace: a-test-ns
resourceVersion: "6454173"
selfLink: /apis/rbac.istio.io/v1alpha1/namespaces/a-test-ns/servicerolebindings/tcp-echo-access-sleep-b-test-ns
uid: 673856cf-dbd8-11e9-957f-a0423f35ead2
spec:
roleRef:
kind: ServiceRole
name: tcp-echo-access
subjects:
- user: redacted.trustdomain.com/clustername/ns/b-test-ns/sa/test-sleep-sa
kind: List
metadata:
resourceVersion: ""
selfLink: ""
The resulting filter chain found in the LDS update on the tcp-echo’s istio-proxy shows:
"filters": [
{
"name": "envoy.filters.network.rbac",
"config": {
"rules": {
"policies": {
"tcp-echo-access": {
"permissions": [
{
"and_rules": {
"rules": [
{
"any": true
}
]
}
}
],
"principals": [
{
"and_ids": {
"ids": [
{
"authenticated": {
"principal_name": {
"exact": "spiffe://redacted.trustdomain.com/clustername/ns/b-test-ns/sa/test-sleep-sa"
}
}
}
]
}
},
{
"and_ids": {
"ids": [
{
"authenticated": {
"principal_name": {
"exact": "spiffe://redacted.trustdomain.com/clustername/ns/c-test-ns/sa/test-sleep-sa"
}
}
}
]
}
},
{
"and_ids": {
"ids": [
{
"authenticated": {
"principal_name": {
"exact": "spiffe://redacted.trustdomain.com/clustername/ns/a-test-ns/sa/test-sleep-sa"
}
}
}
]
}
}
]
}
}
},
"stat_prefix": "tcp."
}
},
{
"name": "envoy.tcp_proxy",
"config": {
"cluster": "inbound|9000|tcp|tcp-echo.a-test-ns.svc.cluster.local",
"stat_prefix": "inbound|9000|tcp|tcp-echo.a-test-ns.svc.cluster.local"
}
}
]
The order of the and_ids
are what appear to be non deterministic.