group     string
		version   string
		resource  string
	}{
		{
			version:  "v1",
			resource: "namespaces",
		},
		{
			group:    "rbac.authorization.k8s.io",
			version:  "v1",
			resource: "clusterroles",
		},
		{
			group:    "rbac.authorization.k8s.io",
			version:  "v1",
			resource: "clusterrolebindings",
		},
		{
			group:    "apiextensions.k8s.io",
			version:  "v1",

- **Focus**:
  1. Authentication and authorization mechanisms.
  1. Interaction between security components and Istio control plane.
  1. Validation of mutual TLS (mTLS) configurations.
  1. Testing of JWT token validation and RBAC policies.
  1. Validation of certificate management and rotation.
- **Setup**: The main test setup in this folder initializes the Istio control plane with security configurations.

## Adding a New Integration Test

    - [RBAC](https://docs.projectcalico.org/v3.2/getting-started/kubernetes/installation/rbac.yaml) - this creates the service account the CNI plugin is configured to use to access the kube-api-server...

- Added RBAC reconcile commands with `kubectl auth reconcile -f FILE`. When
  passed a file which contains RBAC roles, rolebindings, clusterroles, or
  clusterrolebindings, this command computes covers and adds the missing rules.
  The logic required to properly apply RBAC permissions is more complicated

This is fairly straightforward.

First, we need to check that this traffic is allowed.
Traffic may be denied by RBAC policies (especially from a `STRICT` mode enforcement, which denies plaintext traffic).

If it is allowed, we will forward to the target destination.

#### Hairpin

#### **RBAC**

*   New permissions have been added to default RBAC roles ([#52654](https://github.com/kubernetes/kubernetes/pull/52654),[ @liggitt](https://github.com/liggitt)):
    *   The default admin and edit roles now include read/write permissions
    *   The view role includes read permissions on poddisruptionbudget.policy resources.

* kube-up: increase download timeout for kubernetes.tar.gz ([#29426](https://github.com/kubernetes/kubernetes/pull/29426), [@justinsb](https://github.com/justinsb))
* Fix RBAC authorizer of ServiceAccount ([#29071](https://github.com/kubernetes/kubernetes/pull/29071), [@albatross0](https://github.com/albatross0))

  // EvaluationError is an indication that some error occurred during the authorization check.
  // It is entirely possible to get an error and be able to continue determine authorization status in spite of it.
  // For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request.
  // +optional
  optional string evaluationError = 3;
}

  // EvaluationError is an indication that some error occurred during the authorization check.
  // It is entirely possible to get an error and be able to continue determine authorization status in spite of it.
  // For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request.
  // +optional
  optional string evaluationError = 3;
}

* RBAC: all configured authorizers are now checked to determine if an RBAC role or clusterrole escalation (setting permissions the user does not currently have via RBAC) is allowed. ([#56358](https://github.com/kubernetes/kubernetes/pull/56358), [@liggitt](https://github.com/liggitt))