Role-based Access Control
This section describes the permissions required to access Istio features.
The rancher istio chart installs three ClusterRoles
Cluster-Admin Access
By default, only those with the cluster-admin
ClusterRole
can:
- Install istio app in a cluster
- Configure resource allocations for Istio
Admin and Edit access
By default, only Admin and Edit roles can:
- Enable and disable Istio sidecar auto-injection for namespaces
- Add the Istio sidecar to workloads
- View the traffic metrics and traffic graph for the cluster
- Configure Istio's resources (such as the gateway, destination rules, or virtual services)
Summary of Default Permissions for Kubernetes Default roles
Istio creates three ClusterRoles
and adds Istio CRD access to the following default K8s ClusterRole
:
ClusterRole create by chart | Default K8s ClusterRole | Rancher Role |
---|---|---|
istio-admin | admin | Project Owner |
istio-edit | edit | Project Member |
istio-view | view | Read-only |
Rancher will continue to use cluster-owner, cluster-member, project-owner, project-member, etc as role names, but will utilize default roles to determine access. For each default K8s ClusterRole
there are different Istio CRD permissions and K8s actions (Create ( C ), Get ( G ), List ( L ), Watch ( W ), Update ( U ), Patch ( P ), Delete( D ), All ( * )) that can be performed.
CRDs | Admin | Edit | View |
---|---|---|---|
| GLW | GLW | GLW |
| * | * | GLW |
| * | * | GLW |