apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
name: myservice
namespace: default
spec:
rules:
- services: ["httpbin.default.svc.cluster.local"]
methods: ["GET"]
---
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
name: myservice
namespace: default
spec:
subjects:
- user: "cluster.local/ns/default/sa/default"
- user: "default"
roleRef:
kind: ServiceRole
name: "myservice"I have myservice -> myapp where myapp pod uses ServiceAccount default.
kubectl get pod myapp-8994abf23f-75vtk -o yaml | grep service
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
- --serviceCluster
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
serviceAccount: default
serviceAccountName: defaultI would expect if I exec into myapp pod which uses myservice, to be able to curl http://httpbin:8000/headers service, but I still get RBAC: access denied. It only works with user: "*".
What am I supposed to put for user?