Comparing Maistra and upstream Istio community installations
An installation of Maistra differs from upstream Istio community installations in multiple ways. The modifications to Maistra are sometimes necessary to resolve issues, provide additional features, or to handle differences when deploying on OpenShift or OKD.
The current release of Maistra differs from the current upstream Istio community release in the following ways:
Enabling automatic injection for your deployments differs between the upstream Istio releases and the Maistra releases. The upstream sidecar injector will inject all deployments within specifically labelled namespaces whereas the Maistra version relies on opting in and the presence of the
sidecar.istio.io/inject annotation. For more information please refer to the the automatic injection section.
Role Based Access Control features
Role Based Access Control (RBAC) provides a mechanism to control access to a service. You can identify subjects by username or by specifying a set of properties and apply access controls accordingly.
The upstream Istio community installation includes options to perform exact matches on a header, identifying headers which are present (wildcard), or checking for a header containing a specific prefix or suffix.
The following example demonstrates how upstream Istio handles the header matching within a ServiceRoleBinding
apiVersion: "rbac.istio.io/v1alpha1" kind: ServiceRoleBinding metadata: name: httpbin-client-binding namespace: httpbin spec: subjects: - user: "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account" properties: request.headers[<header>]: "value"
The Maistra distribution extends the ability to match request headers by supporting the use of a regular expression. To use this functionality, specify a property key of
request.regex.headers with a regular expression as the value.
The following example demonstrates how Maistra matches request headers by using regular expressions
apiVersion: "rbac.istio.io/v1alpha1" kind: ServiceRoleBinding metadata: name: httpbin-client-binding namespace: httpbin spec: subjects: - user: "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account" properties: request.regex.headers[<header>]: "<regular expression>"