503 errors with AuthorizationPolicy and ALLOW with a Rule

Security
1

I have the following:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: vadal-gateway
  namespace: istio-system
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
    - port:
        number: 80
        name: http
        protocol: http
      hosts:
        - vadal.local
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: echo
  namespace: vadal
spec:
  hosts:
    - vadal.local
  gateways:
    - vadal-gateway.istio-system.svc.cluster.local
  http:
    - match:
      - uri:
          prefix: /echo/
      rewrite:
        uri: /
      route:
        - destination:
            host: vecho.vadal.svc.cluster.local
            port:
              number: 80
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: users
  namespace: vadal
spec:
  hosts:
    - vadal.local
  gateways:
    - vadal-gateway.istio-system.svc.cluster.local
  http:
    - match:
        - uri:
            prefix: /users/
      rewrite:
        uri: /
      route:
        - destination:
            host: vusers.vadal.svc.cluster.local
            port:
              number: 80

When trying to set authorization no rules apart from empty {} work. They return 503. DR also set like so.

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: vusers-mtls
namespace: vadal
spec:
host: vusers
trafficPolicy:
tls:
mode: ISTIO_MUTUAL

apiVersion: “networking.istio.io/v1alpha3”
kind: “DestinationRule”
metadata:
name: “default”
namespace: “istio-system”
spec:
host: “*.local”
trafficPolicy:
tls:
mode: ISTIO_MUTUAL

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: vecho-get
namespace: vadal
spec:
selector:
matchLabels:
app: vecho
action: ALLOW
rules:
- {}

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: vusers-get
namespace: vadal
spec:
selector:
matchLabels:
app: vusers
action: ALLOW
rules:

  • to:
    • operation:
      methods: [“GET”]

curl -i vadal.local/echo/ is fine
curl -i vadal.local/users/ gives 503.

2

It looks like to make this work you have to add to the k8s service ports tag the text name: http

**- name: http**
  port: 80
  protocol: TCP
  targetPort: 8080
1 Like
3

@YangminZhu can you take a look? Thanks!

4

This should not be the issue, if it was he could have got not “503” something like connection reset error he should have got, as istio is strict in that.