403 when hitting url inside cluster

BQ1756 · November 6, 2020, 5:18pm

I want to hit a rest API from a Pod running in the same namespace as the pod running the API endpoint. However, I am seeing a 403 error when I try. What is the root of my issue? How can I solve the issue?

3 pods: clientpod, webpod, apipod
3 services: clientpodsvc, webpodsvc, apipodsvc
IngressGateway+VirtualService: http://service_name.mycompany.com

What works?
kubectl exec clientpod – bash
From the clientpod cli:
curl http://webpodsvc/index.html
curl http://webpodsvc.mycompany.com/index.html
curl http://apipodsvc.mycompany.com/api/HealthCheck

What does not work?
curl http://apipodsvc/api/HealthCheck

curl -I shows:
HTTP/1.1 403 Forbidden
date: Fri, 06 Nov 2020 17:16:02 GMT
server: envoy
x-envoy-upstream-service-time: 1
transfer-encoding: chunked

I also see the 403 errors in the Istio-proxy sidecar logs

Sameer_Naik · November 6, 2020, 10:00pm

Can you execute curl -v http://localhost/api/HealthCheck from apipod to eliminate clientpod sidecar.
Also check the istio error code like UC etc.

BQ1756 · November 7, 2020, 2:33pm

Thank you for the troubleshooting tip. I see the same 403 error for localhost. This issue is an application issue, not an Istio issue.

Topic		Replies	Views
Istio TCP Connection Failure Connection Refused	3	4246	June 20, 2022
Istio (Envoy-proxy sidecar) is blocking http traffic on port 8088 Networking	20	9469	June 4, 2020
Unable to curl httpbin from curl pod Security	1	948	June 18, 2022
403 Envoy Filter Ext Auth	3	2753	October 14, 2020
Envoy lua handler network issues	0	421	May 8, 2020

403 when hitting url inside cluster

Related Topics