Authorization polices issue

claux · November 15, 2023, 12:26pm

Hi Guys,

I’m trying to define authorization policies, but don’t work as expected. I have 4 services called dummy-service1,2,3,4 and want to limit the connection between them.

What I want to do: dummy-service1 should accept requests only from dummy-service2 and dummy-service4, I have created the below authorization policies but not working I get access denied.

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: service1-deny-post-policy
  namespace: default
spec:
  selector:
    matchLabels:
      run: dummy-service1
  action: ALLOW
  rules:
   - from:
        - source:
            principals: [
             "dummy-service4.default.svc.cluster.local",
             "dummy-service2.default.svc.cluster.local"
           ]

Do you have any idea why is not working in this way?

AlexKad · November 15, 2023, 3:44pm

Hello claux,

is mTLS enabled? Otherwise it won’t work.

I am not sure if the principal has the right format. The following policy works for me:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: test-policy
  namespace: default
spec:
  selector:
    matchLabels:
      app: myapp
  action: ALLOW
  rules:
  - from:
    - source:
        principals: ["cluster.local/ns/default/sa/my-other-app-sa"]
    to:
    - operation:
        ports: 
        - "9898"

Topic		Replies	Views
Authorization Policy issue with 503 Networking	12	3933	June 15, 2020
Istio 1.6.4: Authorisation policy ALLOW is denying Security	9	1111	August 10, 2020
Authorization policy challenge Security	6	1232	April 4, 2020
AuthorizationPolicy and Namespaces Security	1	2272	February 21, 2020
AuthorizationPolicy security	0	419	April 16, 2021

Authorization polices issue

Related topics