yanniszark/istio-reproducer-rbac.yaml

## istio-reproducer-rbac.yaml
apiVersion: rbac.istio.io/v1alpha1
kind: ServiceRole
metadata:
  name: access-server
  namespace: test-istio-rbac
spec:
  rules:
  - services:
    - 'server.*'

---

apiVersion: rbac.istio.io/v1alpha1
kind: ServiceRoleBinding
metadata:
  name: access-server
  namespace: test-istio-rbac
spec:
  roleRef:
    kind: ServiceRole
    name: access-server
  subjects:
  - properties:
      source.principal: cluster.local/ns/test-istio-rbac/sa/default

---

# DestinationRule for mTLS
apiVersion: "networking.istio.io/v1alpha3"
kind: DestinationRule
metadata:
  name: server-mtls
  namespace: test-istio-rbac
spec:
  host: server.test-istio-rbac.svc.cluster.local
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL

## istio-reproducer.yaml
apiVersion: v1
kind: Namespace
metadata:
  name: test-istio-rbac
  labels:
    istio-injection: enabled

---

apiVersion: apps/v1
kind: Deployment
metadata:
  name: client
  namespace: test-istio-rbac
spec:
  selector:
    matchLabels:
      app: client
  template:
    metadata:
      labels:
        app: client
    spec:
      containers:
      - name: client
        image: nicolaka/netshoot
        command:
          - "/bin/bash"
          - "-c"
          - "sleep infinity"

---

apiVersion: apps/v1
kind: Deployment
metadata:
  name: server
  namespace: test-istio-rbac
spec:
  selector:
    matchLabels:
      app: server
  template:
    metadata:
      labels:
        app: server
    spec:
      containers:
      - name: server
        image: nicolaka/netshoot
        command:
          - "/bin/bash"
          - "-c"
          - "sleep infinity"
        ports:
        - containerPort: 8081
          name: tcp-porta

---

apiVersion: v1
kind: Service
metadata:
  name: server
  namespace: test-istio-rbac
spec:
  selector:
    app: server
  ports:
  - port: 8081
    targetPort: tcp-porta
    name: tcp-porta
	apiVersion: rbac.istio.io/v1alpha1
	kind: ServiceRole
	metadata:
	name: access-server
	namespace: test-istio-rbac
	spec:
	rules:
	- services:
	- 'server.*'

	---

	apiVersion: rbac.istio.io/v1alpha1
	kind: ServiceRoleBinding
	metadata:
	name: access-server
	namespace: test-istio-rbac
	spec:
	roleRef:
	kind: ServiceRole
	name: access-server
	subjects:
	- properties:
	source.principal: cluster.local/ns/test-istio-rbac/sa/default

	---

	# DestinationRule for mTLS
	apiVersion: "networking.istio.io/v1alpha3"
	kind: DestinationRule
	metadata:
	name: server-mtls
	namespace: test-istio-rbac
	spec:
	host: server.test-istio-rbac.svc.cluster.local
	trafficPolicy:
	tls:
	mode: ISTIO_MUTUAL
	apiVersion: v1
	kind: Namespace
	metadata:
	name: test-istio-rbac
	labels:
	istio-injection: enabled

	---

	apiVersion: apps/v1
	kind: Deployment
	metadata:
	name: client
	namespace: test-istio-rbac
	spec:
	selector:
	matchLabels:
	app: client
	template:
	metadata:
	labels:
	app: client
	spec:
	containers:
	- name: client
	image: nicolaka/netshoot
	command:
	- "/bin/bash"
	- "-c"
	- "sleep infinity"

	---

	apiVersion: apps/v1
	kind: Deployment
	metadata:
	name: server
	namespace: test-istio-rbac
	spec:
	selector:
	matchLabels:
	app: server
	template:
	metadata:
	labels:
	app: server
	spec:
	containers:
	- name: server
	image: nicolaka/netshoot
	command:
	- "/bin/bash"
	- "-c"
	- "sleep infinity"
	ports:
	- containerPort: 8081
	name: tcp-porta

	---

	apiVersion: v1
	kind: Service
	metadata:
	name: server
	namespace: test-istio-rbac
	spec:
	selector:
	app: server
	ports:
	- port: 8081
	targetPort: tcp-porta
	name: tcp-porta