Add Istio policies for the same service in all name spaces

Hi Istio Experts
We are using Istio (in GKE) for service authZ and JWT Check. Currently we are at istio1.2 and will migrate to 1.4 whenever GKE version is ready for that.
In our world, we have multiple namespaces(almost for each team or developer). All those namespaces will have the same service(say it is foo).
How can we add a JWT Policy which can apply to all foo services? And note that I can not enable JWT globally because there are some service(bar) doesn’t require JWT.
As far as I know, I can do a policy like this for n1 namespces, is there any generic way for that?
apiVersion: “
kind: “Policy”
name: “jwt-example”
namespace: n1
- name: foo
- mtls:
- jwt:
issuer: “
jwksUri: “
principalBinding: USE_ORIGIN

Also, the same question for authZ policy. e.g., we want to block foo to bar in all namespaces.


Ping, can anyone give me some help?

Recommendations from k8s and istio is to group security related config, such as Istio authn/z config, k8s rbac, within namespace. If you have multiple namespaces, each have some same “foo” service requiring JWT authentication, you will have to configure policy in each namespace…