istio: specify value for "spec.subjects.properties.version" doesn't work as expected in ServiceRoleBinding
env:
ubuntu: 16.04
istio version: istio-0.8.0
kubenetes version: v1.10.0
Reproduce steps
- Download and install
istio-0.8.0with mTLS:
curl -L https://git.io/getLatestIstio | sh -
cd istio-0.8.0/
export PATH=$PWD/bin:$PATH
kubectl apply -f install/kubernetes/istio-demo-auth.yaml
- Try out the Istio RBAC with Bookinfo sample at: https://istio.io/docs/tasks/security/role-based-access-control/
In the last step, I would like to only see “red” ratings in “Book Reviews” section, so I specify that only “reviews” service at version “v3” can access “ratings” service following the doc by update
bind-ratingsServiceRoleBinding with:
apiVersion: "config.istio.io/v1alpha2"
kind: ServiceRoleBinding
metadata:
name: bind-ratings
namespace: default
spec:
subjects:
- user: "cluster.local/ns/default/sa/bookinfo-reviews"
properties:
version: "v3"
roleRef:
kind: ServiceRole
name: "ratings-viewer"
Point the browser to the Bookinfo productpage (http://$GATEWAY_URL/productpage). Still I can should see the “black” and “red” ratings in “Book Reviews” section. The results show that both review v2 and v3 can access ratings service. Expected: Only “red” ratings in “Book Reviews” section.
/cc @gyliu513
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Comments: 16 (16 by maintainers)
@morvencao @gyliu513 I think I have found the root cause here, it’s actually a bug that incorrectly evaluated the user/group/properties in a subject to OR relationship. I’ll send out a fix soon and try to make it to 0.8.1 release.
In my previous test, I only included the
version: "v3"in my binding config which won’t trigger the bug. To workaround this, you could include only properties in a subject, like this:Thanks for reporting this and sorry for the trouble.