Role-based Access Control

This section describes the permissions required to access Istio features.

The rancher istio chart installs three ClusterRoles

Cluster-Admin Access

By default, only those with the cluster-admin ClusterRole can:

  • Install istio app in a cluster
  • Configure resource allocations for Istio

Admin and Edit access

By default, only Admin and Edit roles can:

  • Enable and disable Istio sidecar auto-injection for namespaces
  • Add the Istio sidecar to workloads
  • View the traffic metrics and traffic graph for the cluster
  • Configure Istio’s resources (such as the gateway, destination rules, or virtual services)

Summary of Default Permissions for Kubernetes Default roles

Istio creates three ClusterRoles and adds Istio CRD access to the following default K8s ClusterRole:

ClusterRole create by chartDefault K8s ClusterRoleRancher Role
istio-adminadminProject Owner
istio-editeditProject Member
istio-viewviewRead-only

Rancher will continue to use cluster-owner, cluster-member, project-owner, project-member, etc as role names, but will utilize default roles to determine access. For each default K8s ClusterRole there are different Istio CRD permissions and K8s actions (Create ( C ), Get ( G ), List ( L ), Watch ( W ), Update ( U ), Patch ( P ), Delete( D ), All ( * )) that can be performed.

CRDsAdminEditView
  • config.istio.io
    • adapters
    • attributemanifests
    • handlers
    • httpapispecbindings
    • httpapispecs
    • instances
    • quotaspecbindings
    • quotaspecs
    • rules
    • templates
GLWGLWGLW
  • networking.istio.io
    • destinationrules
    • envoyfilters
    • gateways
    • serviceentries
    • sidecars
    • virtualservices
    • workloadentries
GLW
  • security.istio.io
    • authorizationpolicies
    • peerauthentications
    • requestauthentications
GLW