I’d like my mesh as secure as possible, and I have a couple of questions (based on the stance taken by the bookinfo examples)
Access to the front-end service (productpage) is allowed from any user. However this isn’t “direct” internet traffic - I changed the rule to allow from “cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account” and it still worked, and was presumably more secure.
I then changed RBAC from ‘ON_WITH_INCLUSION’ to ‘ON’. This denied access, which I assumed was enforcement of traffic hitting the ingress gw from the internet. I added a Role for service
istio-ingressgateway.istio-system.svc.cluster.localand a Binding to users “*” and that fixed it.
I guess my question is: why is this not the default stance? Why is RBAC ‘ON’ documented nowhere (unless I’ve missed it?). Even if all-namespace RBAC is a bit annoying, step 1 seems like an obvious thing to do?