Document RBAC set up for ingress key cert protection.

_docs/tasks/traffic-management/ingress.md

@@ -269,6 +269,204 @@ rules.
    curl -I -k https://$INGRESS_HOST/status/200
    ```
 
+1. Configuring RBAC for ingress key/cert.
+
+   There are service accounts which can access this ingress key/cert, and this leads to risks of 
+   leaking key/cert. We can set up Role-Based Access Control ("RBAC") to protect it.
+   [istio/install/kubernetes/istio.yaml](https://github.com/istio/istio/blob/master/install/kubernetes/istio.yaml)
+   defines ClusterRoles and ClusterRoleBindings which allow service accounts in namespace istio-system
+   to access all secret resources. We need to update or replace these RBAC set up to only allow
+   istio-ingress-service-account to access ingress key/cert.
+
+   We can use kubectl to list all secrets in namespace istio-system that we need to protect using RBAC.
+
+   ```bash
+   kubectl get secrets -n istio-system
+   ```
+   This produces the following output:
+
+   ```bash
+   NAME                                        TYPE                                  DATA      AGE
+   istio-ca-secret                             istio.io/ca-root                      2         7d
+   istio-ingress-certs                         kubernetes.io/tls                     2         7d
+   istio-ingress-service-account-token-kwr85   kubernetes.io/service-account-token   3         7d
+   istio.istio-ingress-service-account         istio.io/key-and-cert                 3         7d
+   ......
+   ```
+
+1. Update RBAC set up for istio-pilot-service-account and istio-mixer-istio-service-account.
+
+   Delete existing ClusterRoleBindings and ClusterRole.  
+
+   ```bash
+   kubectl delete ClusterRoleBinding istio-pilot-admin-role-binding-istio-system
+   kubectl delete ClusterRoleBinding istio-mixer-admin-role-binding-istio-system
+   kubectl delete ClusterRole istio-mixer-istio-system
+   ```
+
+   Create istio-pilot-mixer-istio-system.yaml, which allows istio-pilot-service-account and 
+   istio-mixer-service-account to read all kubernetes.io/service-account-token, 
+   istio.io/key-and-cert, and istio.io/ca-root types of secret instances. 
+
+   ```bash
+   kind: ClusterRole
+   apiVersion: rbac.authorization.k8s.io/v1beta1
+   metadata:
+     name: istio-pilot-mixer-istio-system
+   rules:
+   - apiGroups: [""] # "" indicates the core API group
+     resources: ["secrets"]
+     resourceNames: ["istio-ca-service-account-token-rl4xm"]
+     verbs: ["get", "list", "watch"]  
+   - apiGroups: [""] # "" indicates the core API group
+     resources: ["secrets"]
+     resourceNames: ["istio.istio-ca-service-account"]
+     verbs: ["get", "list", "watch"]
+   - apiGroups: [""] # "" indicates the core API group
+     resources: ["secrets"]
+     resourceNames: ["istio-ca-secret"]
+     verbs: ["get", "list", "watch"]
+   ......
+   ---
+   kind: ClusterRoleBinding
+   apiVersion: rbac.authorization.k8s.io/v1beta1
+   metadata:
+     name: istio-pilot-mixer-admin-role-binding-istio-system
+   subjects:
+   - kind: ServiceAccount
+     name: istio-pilot-service-account
+     namespace: istio-system
+   - kind: ServiceAccount
+     name: istio-mixer-service-account
+     namespace: istio-system
+   roleRef:
+     kind: ClusterRole
+     name: istio-pilot-mixer-istio-system
+     apiGroup: rbac.authorization.k8s.io
+   ```
+
+   ```bash
+   kubectl apply -f istio-pilot-mixer-istio-system.yaml
+   ```
+
+1. Update RBAC set up for istio-ingress-service-account.
+
+   Delete existing ClusterRoleBinding and ClusterRole. 
+
+   ```bash
+   kubectl delete clusterrolebinding istio-ingress-admin-role-binding-istio-system
+   kubectl delete ClusterRole istio-pilot-istio-system
+   ```
+
+   Create istio-ingress-istio-system.yaml which allows istio-ingress-service-account to read 
+   istio-ingress-certs as well as other secret instances.
+
+   ```bash
+   kind: ClusterRole
+   apiVersion: rbac.authorization.k8s.io/v1
+   metadata:
+     name: istio-ingress-istio-system
+   rules:
+   - apiGroups: [""] # "" indicates the core API group
+     resources: ["secrets"]
+     resourceNames: ["istio-ca-service-account-token-rl4xm"]
+     verbs: ["get", "list", "watch"]  
+   - apiGroups: [""] # "" indicates the core API group
+     resources: ["secrets"]
+     resourceNames: ["istio.istio-ca-service-account"]
+     verbs: ["get", "list", "watch"]
+   - apiGroups: [""] # "" indicates the core API group
+     resources: ["secrets"]
+     resourceNames: ["istio-ca-secret"]
+     verbs: ["get", "list", "watch"]
+   ......
+   - apiGroups: [""] # "" indicates the core API group
+     resources: ["secrets"]
+     resourceNames: ["istio-ingress-certs"]
+     verbs: ["get", "list", "watch"]
+   ---
+   kind: ClusterRoleBinding
+   apiVersion: rbac.authorization.k8s.io/v1
+   metadata:
+     name: istio-ingress-admin-role-binding-istio-system
+   subjects:
+   - kind: ServiceAccount
+     name: istio-ingress-service-account
+     namespace: istio-system
+   roleRef:
+     kind: ClusterRole
+     name: istio-ingress-istio-system
+     apiGroup: rbac.authorization.k8s.io
+   ```
+
+   ```bash
+   kubectl apply -f istio-ingress-istio-system.yaml
+   ```
+
+1. Update RBAC set up for istio-ca-service-account.
+
+   Create istio-ca-istio-system.yaml, which updates existing ClusterRole istio-ca-istio-system that 
+   allows istio-ca-service-account to read, create and modify all istio.io/key-and-cert, 
+   kubernetes.io/service-account-token and istio.io/ca-root types of secrets.
+
+   ```bash
+   kind: ClusterRole
+   apiVersion: rbac.authorization.k8s.io/v1
+   metadata:
+     name: istio-ca-istio-system
+   rules:
+   - apiGroups: [""] # "" indicates the core API group
+     resources: ["secrets"]
+     resourceNames: ["istio-ca-service-account-token-rl4xm"]
+     verbs: ["get", "list", "watch", "create", "update"] 
+   - apiGroups: [""] # "" indicates the core API group
+     resources: ["secrets"]
+     resourceNames: ["istio.istio-ca-service-account"]
+     verbs: ["get", "list", "watch", "create", "update"]
+   - apiGroups: [""] # "" indicates the core API group
+     resources: ["secrets"]
+     resourceNames: ["istio-ca-secret"]
+     verbs: ["get", "list", "watch", "create", "update"]
+   ......
+   ```
+
+   ```bash
+   kubectl apply -f istio-ca-istio-system.yaml
+   ```
+1. Verify that the new ClusterRoles work as expected.
+
+   ```bash
+   kubectl auth can-i get secret/istio-ingress-certs --as system:serviceaccount:istio-system:istio-ingress-service-account -n istio-system
+   ```
+   whose output should be
+   ```bash
+   yes
+   ```
+   In this command, we can replace verb "get" with "list" or "watch", and the output should always 
+   be "yes". Now let us test with other service accounts.
+
+   ```bash
+   kubectl auth can-i get secret/istio-ingress-certs --as system:serviceaccount:istio-system:istio-pilot-service-account -n istio-system
+   ```    
+   whose output should be
+   ```bash
+   no - Unknown user "system:serviceaccount:istio-system:istio-pilot-service-account"
+   ```
+   In this command, we can replace service account with istio-mixer-service-account, or 
+   istio-ca-service-account, we can also replace verb "get" with "watch" or "list", and the 
+   output should look similarly.
+
+   Accessibility to secret resources except istio-ingress-certs should remain the same for 
+   istio-ca-service-account, istio-ingress-service-account, istio-pilot-service-account and
+   istio-mixer-service-account.
+   ```bash
+   kubectl auth can-i get secret/istio-ca-service-account-token-r14xm --as system:serviceaccount:istio-system:istio-ca-service-account -n istio-system
+   ```
+   whose output should be
+   ```bash
+   yes
+   ```
+
 ## Configuring ingress for gRPC
 
 The ingress controller currently doesn't support `.` characters in the `path`