RBAC controls over Egress traffic


I’m trying to limit the ability to call an “internet” endpoint to a single service (account) in the mesh. I’ve got outboundPolicy set to REGISTRY_ONLY and have whitelisted certain DNS names with ServiceEntries. However this allows anyone to egress to them, and I’d like to restrict that to a single principal.

I can’t for the life of me work out how to do this, or even if it’s possible, but I’m probably just googling the wrong thing. This blog strongly implies that this is possible, but the follow-up with the details isn’t available:

This issue is the only source I can find that talks about this, and I would guess for v1alpha3 I’d just reference the SE as the “service” here?

However, even with RBAC set to “ON”, all services are allowed to egress, so clearly RBAC isn’t denying this by default - is there another step I need to take to get deny-by-default, then use the method above to selectively open (service, egress) pairs back up?


I will look closely to the link you provided later.

To give a quick answer, which Istio version are you using? The RBAC policy on egress/ingress gateway is added in 1.2 and is not released yet, you can use it but we’re still testing it and will add more documentation once it’s ready for public use.

Thanks for your reply!

I’m on 1.2.2. Do you mean the functionality is there it’s just not documented yet? Happy to look in the 1.3 prelim docs and try it out if it’s documented there?