I have one cluster with 3 pods and 3 services (first, second and third).
my services are:
aks-helloworld-first cluster ip:10.67.251.251 ,
aks-helloworld-sec cluster ip:10.67.248.67 ,
aks-helloworld-third cluster ip: 10.67.240.154.
the pods are:
aks-helloworld-first selector:app=helloworld-first
aks-helloworld-sec selector: app=helloworld-sec
aks-helloworld-third selector: app=helloworld-third
service account:
helloworld-s-1 1 23h
helloworld-s-2 1 23h
helloworld-s-3 1 23h
i created the following and i was able to access only “first” app as expected (third and sec were able to access first and all the other were denied):
apiVersion: “rbac.istio.io/v1alpha1”
kind: ServiceRole
metadata:
name: service-viewer
namespace: default
spec:
rules:
- services: [“aks-helloworld-first.*”]
apiVersion: “rbac.istio.io/v1alpha1”
kind: ServiceRoleBinding
metadata:
name: bind-service-viewer
namespace: default
spec:
subjects:
- user: “*”
roleRef:
kind: ServiceRole
name: “service-viewer”
when i tried to write in “bind-service-viewer” specific user only (helloworld-s-3 which is service account related to third) - everything were denied again including the third. how can i solve it? to grant access to specific service account?
- user: “helloworld-s-3”