Wildcards in Authorization Properties

benfogel · May 1, 2019, 6:28pm

I’m looking to utilize Istio RBAC for HTTP services based on Kubernetes Service Account and Kubernetes namespace naming conventions. My plan currently is to setup a namespace level ServiceRoleBinding similar to this

apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
  name: binding-users
  namespace: namespacePrefix-test
spec:
  subjects:
  - properties:
      source.namespace: "namespacePrefix*"
  - properties:
      source.principal: "cluster.local/ns/namespacePrefix*"
  roleRef:
    kind: ServiceRole
    name: "service-viewer"

My question is, are the wildcards in Authorization property values above a supported feature? I’ve seen examples using only a wildcard value (’*’), but haven’t been able to locate specific documentation on what wildcard patterns are supported.

I’ve tested this on 1.1.2 and confirmed the above functionality works, but wanted to confirm it’ll continue working going forward.

Thanks!

YangminZhu · May 1, 2019, 7:43pm

Yes, it’s supported and I think we will continue supporting it. We allow 1) a single wildcard ("*"), 2) prefix matching ("prefix*") and 3) suffix matching ("*suffix"). cc @liminwang for double confirm.

We should update the documents to make this more clear.

Topic		Replies	Views
RBAC Not working while trying to allow only from a namespace	8	1761	September 4, 2019
Istio rbac based on service name	5	561	September 20, 2019
Istio RBAC restrict to sercicenames	2	401	December 14, 2019
AuthorizationPolicy with wildcards	4	2488	January 18, 2021
Another AuthorizationPolicy Question - IP Whitelist for VirtualService Security	5	2044	February 11, 2021

Wildcards in Authorization Properties

Related topics