diff options
author | Huabing Zhao <zhaohuabing@gmail.com> | 2018-08-04 03:23:24 +0000 |
---|---|---|
committer | Huabing Zhao <zhaohuabing@gmail.com> | 2018-08-04 03:23:29 +0000 |
commit | b8a4a260fee9a4fcc9d479c590fb74872046be58 (patch) | |
tree | 1678f0901d0a0cb8e4b4439cf3d5711bcec40e1b | |
parent | 7a79abe6bb6cb4b747054e08a7cb49cff27f56a2 (diff) |
Enable istio RBAC
Issue-ID: MSB-255
Change-Id: I8232c5f49c99a3ab4115ff531efcbdb2d8febfa0
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
-rw-r--r-- | install/enable-istio-rbac.yaml | 8 | ||||
-rw-r--r-- | install/istio-ingress-rbac.yaml | 24 | ||||
-rw-r--r-- | install/msb-rbac.yaml | 21 |
3 files changed, 53 insertions, 0 deletions
diff --git a/install/enable-istio-rbac.yaml b/install/enable-istio-rbac.yaml new file mode 100644 index 0000000..3b66fcc --- /dev/null +++ b/install/enable-istio-rbac.yaml @@ -0,0 +1,8 @@ +apiVersion: "rbac.istio.io/v1alpha1" +kind: RbacConfig +metadata: + name: default +spec: + mode: 'ON_WITH_INCLUSION' + inclusion: + namespaces: ["onap"] diff --git a/install/istio-ingress-rbac.yaml b/install/istio-ingress-rbac.yaml new file mode 100644 index 0000000..81bbca6 --- /dev/null +++ b/install/istio-ingress-rbac.yaml @@ -0,0 +1,24 @@ +apiVersion: "rbac.istio.io/v1alpha1" +kind: ServiceRole +metadata: + name: service-viewer + namespace: onap +spec: + rules: + - services: ["*"] + methods: ["GET"] +--- +apiVersion: "rbac.istio.io/v1alpha1" +kind: ServiceRoleBinding +metadata: + name: bind-service-viewer + namespace: onap +spec: + subjects: + - properties: + source.namespace: "istio-system" + - properties: + source.namespace: "default" + roleRef: + kind: ServiceRole + name: "service-viewer" diff --git a/install/msb-rbac.yaml b/install/msb-rbac.yaml new file mode 100644 index 0000000..bcb1d87 --- /dev/null +++ b/install/msb-rbac.yaml @@ -0,0 +1,21 @@ +apiVersion: "rbac.istio.io/v1alpha1" +kind: ServiceRole +metadata: + name: msb + namespace: onap +spec: + rules: + - services: ["*"] + methods: ["GET"] +--- +apiVersion: "rbac.istio.io/v1alpha1" +kind: ServiceRoleBinding +metadata: + name: bind-service-msb + namespace: onap +spec: + subjects: + - user: "cluster.local/ns/onap/sa/msb" + roleRef: + kind: ServiceRole + name: "msb" |