I set up a k8s cluster in GKE with rbac enabled, and I install Istio into the cluster.

I follow this step (link) to create key/certs for the Istio ingress controller, and key/certs are stored as secret whose name is istio-ingress-certs.

Now I want to use RBAC to limit access to istio-ingress-certs, so that every component in istio-system is allowed to read the secret, but none could modify or delete it.

I create a secrets-rbac.yaml file, and run kubectl apply -f secrets-rbac.yaml, which creates a role to read the secret, and binds this role to all serviceaccounts in istio-system namespace.

To verify that a serviceaccount is not allowed to modify istio-ingress-certs. I use this command to test. kubectl auth can-i edit secrets/istio-ingress-certs -n istio-system --as system:serviceaccount:istio-system:istio-pilot-service-account

I expect that the command would return false, but it returns true. I think I didn't set up rbac correctly in the yaml file, but I am not clear which part is not correct.

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  namespace: istio-system
  name: istio-ingress-certs-reader
rules:
- apiGroups: ["*"]
  resources: ["secrets"]
  resourceNames: ["istio-ingress-certs"]
  verbs: ["get"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  namespace: istio-system
  name: read-istio-ingress-certs
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: istio-ingress-certs-reader
subjects:
- kind: Group
  name: system:serviceaccounts:istio-system
  apiGroup: rbac.authorization.k8s.io
- kind: Group
  name: system:authenticated
  apiGroup: rbac.authorization.k8s.io
- kind: Group
  name: system:unauthenticated
  apiGroup: rbac.authorization.k8s.io