Hi,
What can be used as the value of the user field in the subject specification for a ServiceRoleBinding ?
Is it only service account names?
Thank you,
Laszlo
The user field is checked against the source.principal attribute which is the URI in the SAN field of the peer certificate stripped the “spiffe://” prefix.
Note this requires the authentication policy to be set to enable the mTLS in your cluster.
You can also take a look at this example: https://istio.io/docs/tasks/security/authz-http/#step-2-allowing-access-to-the-details-and-reviews-services
Thank you for the answer. Does that mean that the following two settings are equivalent?
user: cluster.local/ns/default/sa/bookinfo-productpage
and
- properties:
source.principal: "cluster.local/ns/default/sa/bookinfo-productpage"
Yes, and note they cannot be used at the same time.