ServiceRoleBinding subject specification

#1

Hi,

What can be used as the value of the user field in the subject specification for a ServiceRoleBinding ?
Is it only service account names?

Thank you,
Laszlo

0 Likes

#2

The user field is checked against the source.principal attribute which is the URI in the SAN field of the peer certificate stripped the “spiffe://” prefix.
Note this requires the authentication policy to be set to enable the mTLS in your cluster.

You can also take a look at this example: https://istio.io/docs/tasks/security/authz-http/#step-2-allowing-access-to-the-details-and-reviews-services

0 Likes

#3

Thank you for the answer. Does that mean that the following two settings are equivalent?

user: cluster.local/ns/default/sa/bookinfo-productpage

and

- properties:
      source.principal: "cluster.local/ns/default/sa/bookinfo-productpage"
0 Likes

#4

Yes, and note they cannot be used at the same time.

0 Likes