Hi,
Istio version: 1.1.4
I am trying to test RBAC so that a service only is accessible from default namespace.
I have enabled RBAC and I get RBAC: Access Denied. I use the following ServiceRole and Rolebining:
The testapp ServiceRoleBinding allows both user: "*" and "source.namespace: "default" to access the ServiceRole, they are ORed together, that’s why you can access the service from all namespaces.
One thing to check is to make sure you have enabled the mTLS which is required if you want to use the namespace property.
To add to what Yangmin has already said, if you want to limit access only default namespace, then you can remove user: "*" (and make sure mTLS is enabled). In the future, if you want to AND two fields within a Subject, you can specify them within one Subject (the - in user and properties in your ServiceRoleBinding indicates that there are two subjects.)
Thanks @YangminZhu and @philliple . It was not working if i use just namespace properties alone.
However I have not mTLS enabled globally. Let me try enabling mTLS for this namespace.
The error upstream connect error or disconnect/reset before headers usually indicates there is something wrong in your mTLS setting, which means the request is rejected in authentication layer, the authorization layer doesn’t even get the chance to see the request.
Note your DestinationRule is in the test-ns namespace, could you try to copy it also to the default namespace? Keep in mind, the DestinationRule take effect on the client side, so if you’re sending request from default namespace, you should have one in the default namespace.
But I am able to access the service using curl from namespaces other than default as well.
To test whether the service role binding is working I deleted the service role and role binding then I got “RBAC access denied” as expected.
What could be wrong? Could this be a bug?