summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHuabing Zhao <zhaohuabing@gmail.com>2018-08-04 03:23:24 +0000
committerHuabing Zhao <zhaohuabing@gmail.com>2018-08-04 03:23:29 +0000
commitb8a4a260fee9a4fcc9d479c590fb74872046be58 (patch)
tree1678f0901d0a0cb8e4b4439cf3d5711bcec40e1b
parent7a79abe6bb6cb4b747054e08a7cb49cff27f56a2 (diff)
Enable istio RBAC
Issue-ID: MSB-255 Change-Id: I8232c5f49c99a3ab4115ff531efcbdb2d8febfa0 Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
-rw-r--r--install/enable-istio-rbac.yaml8
-rw-r--r--install/istio-ingress-rbac.yaml24
-rw-r--r--install/msb-rbac.yaml21
3 files changed, 53 insertions, 0 deletions
diff --git a/install/enable-istio-rbac.yaml b/install/enable-istio-rbac.yaml
new file mode 100644
index 0000000..3b66fcc
--- /dev/null
+++ b/install/enable-istio-rbac.yaml
@@ -0,0 +1,8 @@
+apiVersion: "rbac.istio.io/v1alpha1"
+kind: RbacConfig
+metadata:
+ name: default
+spec:
+ mode: 'ON_WITH_INCLUSION'
+ inclusion:
+ namespaces: ["onap"]
diff --git a/install/istio-ingress-rbac.yaml b/install/istio-ingress-rbac.yaml
new file mode 100644
index 0000000..81bbca6
--- /dev/null
+++ b/install/istio-ingress-rbac.yaml
@@ -0,0 +1,24 @@
+apiVersion: "rbac.istio.io/v1alpha1"
+kind: ServiceRole
+metadata:
+ name: service-viewer
+ namespace: onap
+spec:
+ rules:
+ - services: ["*"]
+ methods: ["GET"]
+---
+apiVersion: "rbac.istio.io/v1alpha1"
+kind: ServiceRoleBinding
+metadata:
+ name: bind-service-viewer
+ namespace: onap
+spec:
+ subjects:
+ - properties:
+ source.namespace: "istio-system"
+ - properties:
+ source.namespace: "default"
+ roleRef:
+ kind: ServiceRole
+ name: "service-viewer"
diff --git a/install/msb-rbac.yaml b/install/msb-rbac.yaml
new file mode 100644
index 0000000..bcb1d87
--- /dev/null
+++ b/install/msb-rbac.yaml
@@ -0,0 +1,21 @@
+apiVersion: "rbac.istio.io/v1alpha1"
+kind: ServiceRole
+metadata:
+ name: msb
+ namespace: onap
+spec:
+ rules:
+ - services: ["*"]
+ methods: ["GET"]
+---
+apiVersion: "rbac.istio.io/v1alpha1"
+kind: ServiceRoleBinding
+metadata:
+ name: bind-service-msb
+ namespace: onap
+spec:
+ subjects:
+ - user: "cluster.local/ns/onap/sa/msb"
+ roleRef:
+ kind: ServiceRole
+ name: "msb"