Authorization policy clarification for operation.hosts and rules logic

Hi,

I’m fairly new to istio and I’ve been testing authorization polices and would like to confirm the following:

  1. Can I use k8s service names as shown below where httpbin.bar is the service name for deployment/workload httpbin:
   - to:
     - operation:
         hosts: ["httpbin.bar"]
  1. Are the rules.from and rules.to applied with AND logic? For example, for the following rules with no selector, Is the rule meant to only ALLOW access to the httpbin.bar service from service account sleep in foo namespace?
  rules:
  - from:
    - source:
        principals: ["cluster.local/ns/foo/sa/sleep"]
  - to:
    - operation:
        hosts: ["httpbin.bar"]

I ask this because, I setup 2 services httpbin.bar and privatehttpbin.bar and access was granted to privatehttpbin.bar.