403 when hitting url inside cluster

I want to hit a rest API from a Pod running in the same namespace as the pod running the API endpoint. However, I am seeing a 403 error when I try. What is the root of my issue? How can I solve the issue?

3 pods: clientpod, webpod, apipod
3 services: clientpodsvc, webpodsvc, apipodsvc
IngressGateway+VirtualService: http://service_name.mycompany.com

What works?
kubectl exec clientpod – bash
From the clientpod cli:
curl http://webpodsvc/index.html
curl http://webpodsvc.mycompany.com/index.html
curl http://apipodsvc.mycompany.com/api/HealthCheck

What does not work?
curl http://apipodsvc/api/HealthCheck

curl -I shows:
HTTP/1.1 403 Forbidden
date: Fri, 06 Nov 2020 17:16:02 GMT
server: envoy
x-envoy-upstream-service-time: 1
transfer-encoding: chunked

I also see the 403 errors in the Istio-proxy sidecar logs

Can you execute curl -v http://localhost/api/HealthCheck from apipod to eliminate clientpod sidecar.
Also check the istio error code like UC etc.

1 Like

Thank you for the troubleshooting tip. I see the same 403 error for localhost. This issue is an application issue, not an Istio issue.