目录

5.2.3 mTLS认证策略

上一章

5.3 常用的kubectl命令

下一章

更多图书

5.2.4 RBAC访问权限

RBAC访问权限包括:ServiceRole、ServiceRoleBinding、RbacConfig,主要用于服务间的细粒度访问控制。

(1)ServiceRole

ServiceRole用于定义一系列的服务访问控制权限,示例如下:

apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
  name: products-viewer
  namespace: default
spec:
  rules:
  - services: ["products.svc.cluster.local"]
    methods: ["GET", "HEAD"]
    constraints:
    - key: "destination.labels[version]"
      value: ["v1", "v2"]

(2)ServiceRoleBinding

ServiceRoleBinding给ServiceRole分配一系列的授权对象,示例如下:

apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
  name: test-binding-products
  namespace: default
spec:
  subjects:
  - user: alice@yahoo.com
  - properties:
      source.namespace: "abc"
  roleRef:
    kind: ServiceRole
    name: "products-viewer"

(3)RbacConfig

RbacConfig定义全局配置,用来控制Istio RBAC的行为,这个资源的定义只能有一个实例,示例如下:

apiVersion: rbac.istio.io/v1alpha1
kind: RbacConfig
metadata:
  name: default
spec:
  mode: 'ON_WITH_INCLUSION'
  inclusion:
    namespaces: 
    - default