Updated v1alpha to use fine grain RBAC rules (#272)

dcberg · rshriram · commit 736157a61da3 · 2017-05-15T22:02:27.000-04:00
* Updated v1alpha to use fine grain RBAC rules

* updated alpha rbac to add update support to istio-ca

* Improve rbac for istio-ca and istio-manager
diff --git a/install/kubernetes/istio-rbac-alpha.yaml b/install/kubernetes/istio-rbac-alpha.yaml
@@ -1,14 +1,112 @@
 # Permissions and roles for istio
+# To debug: start the cluster with -vmodule=rbac,3 to enable verbose logging on RBAC DENY
+# Also helps to enable logging on apiserver 'wrap' to see the URLs.
+# Each RBAC deny needs to be mapped into a rule for the role.
+# If using minikube, start with '--extra-config=apiserver.Authorization.Mode=RBAC'
+#
+# NOTE: If deploying istio to a namespace other than 'default' then change the
+# ClusterRoleBinding namspace target appropriately.
+kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1alpha1
-kind: RoleBinding
 metadata:
-  name: istio-binding
+  name: istio-manager
+rules:
+- apiGroups: ["istio.io"]
+  resources: ["istioconfigs", "istioconfigs.istio.io"]
+  verbs: ["*"]
+- apiGroups: ["extensions"]
+  resources: ["thirdpartyresources", "thirdpartyresources.extensions", "ingresses"]
+  verbs: ["*"]
+- apiGroups: [""]
+  resources: ["configmaps", "endpoints", "pods", "services"]
+  verbs: ["*"]
+- apiGroups: [""]
+  resources: ["namespaces"]
+  verbs: ["get", "list"]
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+metadata:
+  name: istio-ca
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create", "get", "watch", "list", "update"]
+- apiGroups: [""]
+  resources: ["serviceaccounts"]
+  verbs: ["watch", "list"]
+---
+# Permissions for the sidecar proxy.
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+metadata:
+  name: istio-sidecar
+rules:
+- apiGroups: ["istio.io"]
+  resources: ["istioconfigs"]
+  verbs: ["get", "watch", "list"]
+- apiGroups: ["extensions"]
+  resources: ["thirdpartyresources"]
+  verbs: ["get", "watch", "list"]
+- apiGroups: [""]
+  resources: ["configmaps", "pods", "endpoints", "services"]
+  verbs: ["get", "watch", "list"]
+---
+# Grant permissions to the Manager/discovery.
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+metadata:
+  name: istio-manager-admin-role-binding
+subjects:
+- kind: ServiceAccount
+  name: istio-manager-service-account
+  namespace: default
 roleRef:
-  apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: admin-role-resourceURLSs
+  name: istio-manager
+  apiGroup: rbac.authorization.k8s.io
+---
+# Grant permissions to the Manager/discovery.
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+metadata:
+  name: istio-ca-role-binding
 subjects:
 - kind: ServiceAccount
-  name: istio-manager-service-account
+  name: istio-ca-service-account
+  namespace: default
+roleRef:
+  kind: ClusterRole
+  name: istio-ca
+  apiGroup: rbac.authorization.k8s.io
+---
+# Grant permissions to the Ingress controller.
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+metadata:
+  name: istio-ingress-admin-role-binding
+subjects:
 - kind: ServiceAccount
   name: istio-ingress-service-account
+  namespace: default
+roleRef:
+  kind: ClusterRole
+  name: istio-manager
+  apiGroup: rbac.authorization.k8s.io
+---
+# Grant permissions to the sidecar.
+# TEMPORARY: the istioctl should generate a separate service account for the proxy, and permission
+# granted only to that account !
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+metadata:
+  name: istio-sidecar-role-binding
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: default
+roleRef:
+  kind: ClusterRole
+  name: istio-sidecar
+  apiGroup: rbac.authorization.k8s.io
+---
