113 lines
3.1 KiB
YAML
113 lines
3.1 KiB
YAML
# Permissions and roles for istio
|
|
# To debug: start the cluster with -vmodule=rbac,3 to enable verbose logging on RBAC DENY
|
|
# Also helps to enable logging on apiserver 'wrap' to see the URLs.
|
|
# Each RBAC deny needs to be mapped into a rule for the role.
|
|
# If using minikube, start with '--extra-config=apiserver.Authorization.Mode=RBAC'
|
|
#
|
|
# NOTE: If deploying istio to a namespace other than 'default' then change the
|
|
# ClusterRoleBinding namspace target appropriately.
|
|
kind: ClusterRole
|
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
metadata:
|
|
name: istio-manager
|
|
rules:
|
|
- apiGroups: ["istio.io"]
|
|
resources: ["istioconfigs", "istioconfigs.istio.io"]
|
|
verbs: ["*"]
|
|
- apiGroups: ["extensions"]
|
|
resources: ["thirdpartyresources", "thirdpartyresources.extensions", "ingresses", "ingresses/status"]
|
|
verbs: ["*"]
|
|
- apiGroups: [""]
|
|
resources: ["configmaps", "endpoints", "pods", "services"]
|
|
verbs: ["*"]
|
|
- apiGroups: [""]
|
|
resources: ["namespaces"]
|
|
verbs: ["get", "list"]
|
|
---
|
|
kind: ClusterRole
|
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
metadata:
|
|
name: istio-ca
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["secrets"]
|
|
verbs: ["create", "get", "watch", "list", "update"]
|
|
- apiGroups: [""]
|
|
resources: ["serviceaccounts"]
|
|
verbs: ["watch", "list"]
|
|
---
|
|
# Permissions for the sidecar proxy.
|
|
kind: ClusterRole
|
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
metadata:
|
|
name: istio-sidecar
|
|
rules:
|
|
- apiGroups: ["istio.io"]
|
|
resources: ["istioconfigs"]
|
|
verbs: ["get", "watch", "list"]
|
|
- apiGroups: ["extensions"]
|
|
resources: ["thirdpartyresources", "ingresses"]
|
|
verbs: ["get", "watch", "list", "update"]
|
|
- apiGroups: [""]
|
|
resources: ["configmaps", "pods", "endpoints", "services"]
|
|
verbs: ["get", "watch", "list"]
|
|
---
|
|
# Grant permissions to the Manager/discovery.
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
metadata:
|
|
name: istio-manager-admin-role-binding
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: istio-manager-service-account
|
|
namespace: default
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: istio-manager
|
|
apiGroup: rbac.authorization.k8s.io
|
|
---
|
|
# Grant permissions to the Manager/discovery.
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
metadata:
|
|
name: istio-ca-role-binding
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: istio-ca-service-account
|
|
namespace: default
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: istio-ca
|
|
apiGroup: rbac.authorization.k8s.io
|
|
---
|
|
# Grant permissions to the Ingress controller.
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
metadata:
|
|
name: istio-ingress-admin-role-binding
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: istio-ingress-service-account
|
|
namespace: default
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: istio-manager
|
|
apiGroup: rbac.authorization.k8s.io
|
|
---
|
|
# Grant permissions to the sidecar.
|
|
# TEMPORARY: the istioctl should generate a separate service account for the proxy, and permission
|
|
# granted only to that account !
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
metadata:
|
|
name: istio-sidecar-role-binding
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: default
|
|
namespace: default
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: istio-sidecar
|
|
apiGroup: rbac.authorization.k8s.io
|
|
---
|