Restrict RBAC rules for accessing Istio service proxy

Formerly, it is accessible by authenticated users. Now, it is accessible by cluster owners and authorized users/groups.

Restrict RBAC rules for accessing Istio service proxy
d0bfa65f · gitlawr · Alena Prokharchyk · dd05aa02 · d0bfa65f · d0bfa65f
Commit d0bfa65f authored Jun 25, 2019 by gitlawr Committed by Alena Prokharchyk Jul 23, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 5 deletions

istio-service-rbac.yaml charts/rancher-istio/0.0.2/templates/istio-service-rbac.yaml +8 -5

values.yaml charts/rancher-istio/0.0.2/values.yaml +6 -0

No files found.
--- a/charts/rancher-istio/0.0.2/templates/istio-service-rbac.yaml
+++ b/charts/rancher-istio/0.0.2/templates/istio-service-rbac.yaml
@@ -10,17 +10,20 @@ rules:
    verbs: ["get", "watch", "list"]

 ---
-
+{{- if .Values.global.members }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: read-istio-service
  namespace: {{ .Release.Namespace }}
 subjects:
-  - kind: Group
-    name: system:authenticated
+  {{- range $member := .Values.global.members }}
+  - kind: {{ $member.kind }}
+    name: {{ $member.name }}
    apiGroup: rbac.authorization.k8s.io
+  {{- end }}
 roleRef:
  kind: Role
  name: istio-service-reader
-  apiGroup: rbac.authorization.k8s.io
\ No newline at end of file
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
\ No newline at end of file
--- a/charts/rancher-istio/0.0.2/values.yaml
+++ b/charts/rancher-istio/0.0.2/values.yaml
@@ -139,6 +139,12 @@ istiocoredns:

 # Common settings used among istio subcharts.
 global:
+  # Specify members that can access istio service proxy
+  # members:
+  # - kind: User
+  #   name: u-abcba
+  # - kind: Group
+  #   name: github_org://1234567
  # Specify rancher domain and clusterId of external tracing config
  # https://github.com/istio/istio.io/issues/4146#issuecomment-493543032
  rancher: