env:

ubuntu: 16.04
istio version: istio-0.8.0
kubenetes version: v1.10.0

Reproduce steps

1. Download and install istio-0.8.0 with mTLS:

curl -L https://git.io/getLatestIstio | sh -
cd istio-0.8.0/
export PATH=$PWD/bin:$PATH
kubectl apply -f install/kubernetes/istio-demo-auth.yaml

2. Try out the Istio RBAC with Bookinfo sample at: https://istio.io/docs/tasks/security/role-based-access-control/
   In the last step, I would like to only see “red” ratings in “Book Reviews” section, so I specify that only “reviews” service at version “v3” can access “ratings” service following the doc by update bind-ratings ServiceRoleBinding with:

apiVersion: "config.istio.io/v1alpha2"
kind: ServiceRoleBinding
metadata:
  name: bind-ratings
  namespace: default
spec:
  subjects:
  - user: "cluster.local/ns/default/sa/bookinfo-reviews"
    properties:
      version: "v3"
  roleRef:
    kind: ServiceRole
    name: "ratings-viewer"

Point the browser to the Bookinfo productpage (http://$GATEWAY_URL/productpage). Still I can should see the “black” and “red” ratings in “Book Reviews” section.
The results show that both review v2 and v3 can access ratings service.
Expected: Only “red” ratings in “Book Reviews” section.

/cc @gyliu513