Auth policy - deny all is allowing traffic?

ceastman-ibm · February 1, 2021, 6:26pm

I am using the sample deny-all policy from Istio / Authorization Policy

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: deny-all
 namespace: mynamespace
spec:
  {}

but when i exec into a pod in mynamespace, curl https://www.google.com still works

my environment is istio 1.8.2 i seem to recall this deny-all policy used to work in older versions of istio.

Viru · February 8, 2021, 6:46am

Hi
I believe authorization that you have used does not apply to outgoing traffic
it only blocks incoming traffic.

Topic		Replies	Views
Is it possible to default to deny all traffic? Security	3	945	January 13, 2022
Authorization Policy - ISTIO Security	6	1124	July 2, 2020
Authorization Policies having unexpected results on istio-1.9.0 Networking security	1	559	February 23, 2021
AuthorizationPolicy and Namespaces Security	1	2351	February 21, 2020
Authorization Policy IP allow/deny not working on services different than ingress-gateway Security security	5	5548	August 10, 2020