Wildcards in Authorization Properties

#1

I’m looking to utilize Istio RBAC for HTTP services based on Kubernetes Service Account and Kubernetes namespace naming conventions. My plan currently is to setup a namespace level ServiceRoleBinding similar to this

apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
  name: binding-users
  namespace: namespacePrefix-test
spec:
  subjects:
  - properties:
      source.namespace: "namespacePrefix*"
  - properties:
      source.principal: "cluster.local/ns/namespacePrefix*"
  roleRef:
    kind: ServiceRole
    name: "service-viewer"

My question is, are the wildcards in Authorization property values above a supported feature? I’ve seen examples using only a wildcard value (’*’), but haven’t been able to locate specific documentation on what wildcard patterns are supported.

I’ve tested this on 1.1.2 and confirmed the above functionality works, but wanted to confirm it’ll continue working going forward.

Thanks!

#2

Yes, it’s supported and I think we will continue supporting it. We allow 1) a single wildcard ("*"), 2) prefix matching ("prefix*") and 3) suffix matching ("*suffix"). cc @liminwang for double confirm.

We should update the documents to make this more clear.

1 Like