I’d like my mesh as secure as possible, and I have a couple of questions (based on the stance taken by the bookinfo examples)
Access to the front-end service (productpage) is allowed from any user. However this isn’t “direct” internet traffic - I changed the rule to allow from “cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account” and it still worked, and was presumably more secure.
I then changed RBAC from ‘ON_WITH_INCLUSION’ to ‘ON’. This denied access, which I assumed was enforcement of traffic hitting the ingress gw from the internet. I added a Role for service istio-ingressgateway.istio-system.svc.cluster.local and a Binding to users “*” and that fixed it.
I guess my question is: why is this not the default stance? Why is RBAC ‘ON’ documented nowhere (unless I’ve missed it?). Even if all-namespace RBAC is a bit annoying, step 1 seems like an obvious thing to do?
The bookinfo example is a tutorial for explaining the RBAC functionality in the simplest way and is optimized for easy to follow/understand but not for production security or best practices.
Why is RBAC ‘ON’ documented nowhere (unless I’ve missed it?).
Even if all-namespace RBAC is a bit annoying, step 1 seems like an obvious thing to do?
We’re working to improve the user experience of the Istio security policy (mTLS, JWT, RBAC) and I’ll soon share out a design doc about this topic to the community.
One of the improvements is to revamp the documentation (others are like better monitoring/metric/tooling/testing/etc), including adding best-practice and example policies for use case for reference. Hope this would improve the issues you mentioned so far, thank you!
Thanks for your detailed reply! Yes I think some more comprehensive docs would go a long way - some description of the ideal setup and how to achieve it, and YAMLs to implement that for Bookinfo (even if they’re not used on the golden path through the tutorial). For example, RBAC ‘ON’ is documented insofar as we’re told it exists, but there’s zero help to get your mesh working again after you enable it; I had to know quite a lot about Istio and reason about it from first principles.
Thanks for your replies, I now know I’m not going mad!
Thank you for your feedback @mt165. We’ll take this into consideration next time we’re updating our doc. You can also contribute to our doc site at https://github.com/istio/istio.io