Enabling Mesh-wide RBAC Policy Enforcement

Using RBAC policies requires mTLS strict mode. For information on how to enable it, see Enabling Mesh-wide Strict mTLS.

Introduction

Istio supports policies that define Role-based Access Control rules (RBAC) to specify which services can communicate within the mesh. Role-based means that you first create a role that defines a set of actions that can legally be performed on a set of resources, and then map the defined role to a set of services. The ServiceRole can define e.g. legal HTTP verbs and endpoints for HTTP services, or access to certain ports for TCP services. The resources resemble the Kubernetes RBAC objects. If you are familiar with those, you should be able to get started quickly with using Maistra’s RBAC functionality.

The following example will enable RBAC policy enforcement in your Maistra mesh. Note that without any further action, this will make communication between your services impossible, because by default, Istio’s RBAC functionality will deny all requests that are not explicitly permitted.

Creating the ServiceMeshRbacConfig

Creating the following resource in your control plane’s namespace will enable RBAC policy enforcement in your mesh:

apiVersion: "maistra/v1"
kind: ServiceMeshRbacConfig
metadata:
  name: default
  namespace: <CONTROL_PLANE_NS>
spec:
  mode: 'ON'

This resource does not exist in upstream Istio, it has been added to Maistra. It replaces the upstream ClusterRbacConfig, which is cluster-scoped. For more information, see the comparison of Maistra and upstream Istio.