I have an issue when trying to apply an AuthorizationPolicy with matchLabels for a specific app, and am noticing that the policy doesn’t work if I specify any paths, but it works when applying just to the host.
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: api-ap
spec:
selector:
matchLabels:
app: httpbin
action: ALLOW
rules:
- from:
- source:
requestPrincipals:
- example/*
to:
- operation:
hosts:
- example.com
methods:
- GET
- POST
paths:
- "/api/*" # api requires jwt token
- to:
- operation:
hosts:
- example.com
methods:
- GET
paths:
- "/api/jwks" # want to make this publicly accessible
However when create this AuthorizationPolicy in the istio-system namespace, I am able to use these paths, which when enabling and running logging:
INGRESS_GATEWAY=$(kubectl get pods -l istio=ingressgateway -n istio-system -o jsonpath='{.items[0].metadata.name}')
kubectl exec $INGRESS_GATEWAY -c istio-proxy -n istio-system -- curl -X POST "localhost:15000/logging?filter=debug" -s
kubectl logs -f -n istio-system $INGRESS_GATEWAY
I see additional logging for the JWT token which doesn’t appear when not running in istio-system namespace.
2022-10-24T05:33:37.994178Z debug envoy filter AuthenticationFilter::decodeHeaders with config
I have different RequestAuthentication and AuthorizationPolicy that I need to apply depending on the workload for the same host, is this not possible?
I’ve created this as an issue: AuhorizationPolicy with non istio-system match selector doesn't support matching on path operation · Issue #41602 · istio/istio · GitHub