-
Task
-
Resolution: Won't Do
-
Major
-
None
-
None
The following content was pulled from differences between Maistra and Istio. It should be promoted to a tutorial.
=== Role Based Access Control features
Role Based Access Control (RBAC) provides a mechanism to control access to a service. You can identify subjects by username or by specifying a set of properties and apply access controls accordingly.
The upstream Istio community installation includes options to perform exact matches on a header, identifying headers which are present (wildcard), or checking for a header containing a specific prefix or suffix.
The following example demonstrates how upstream Istio handles the header matching within a ServiceRoleBinding
[source,yaml]
----
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
name: httpbin-client-binding
namespace: httpbin
spec:
subjects:
- user: "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"
properties:
request.headers[<header>]: "value"
----
The Maistra distribution extends the ability to match request headers by supporting the use of a regular expression. To use this functionality, specify a property key of *request.regex.headers* with a regular expression as the value.
The following example demonstrates how Maistra matches request headers by using regular expressions
[source,yaml]
----
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
name: httpbin-client-binding
namespace: httpbin
spec:
subjects:
- user: "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"
properties:
request.regex.headers[<header>]: "<regular expression>"
----