Authorization policy clarification for operation.hosts and rules logic

kaizencoder · June 12, 2020, 12:13am

Hi,

I’m fairly new to istio and I’ve been testing authorization polices and would like to confirm the following:

Can I use k8s service names as shown below where httpbin.bar is the service name for deployment/workload httpbin:

   - to:
     - operation:
         hosts: ["httpbin.bar"]

Are the rules.from and rules.to applied with AND logic? For example, for the following rules with no selector, Is the rule meant to only ALLOW access to the httpbin.bar service from service account sleep in foo namespace?

  rules:
  - from:
    - source:
        principals: ["cluster.local/ns/foo/sa/sleep"]
  - to:
    - operation:
        hosts: ["httpbin.bar"]

I ask this because, I setup 2 services httpbin.bar and privatehttpbin.bar and access was granted to privatehttpbin.bar.

YangminZhu · July 29, 2020, 12:01am

yes, you can use the k8s service name in the host field but please be noted it depends on what host is set in the HTTP request by your workload, the request will be rejected if it’s not matched with the one used in the authorization policy.
Multiple rules are OR-ed together (not AND).

Topic		Replies	Views
Authorization polices issue Security	1	158	November 15, 2023
Istio 1.6.4: Authorisation policy ALLOW is denying Security	9	946	August 10, 2020
Another AuthorizationPolicy Question - IP Whitelist for VirtualService Security	5	1759	February 11, 2021
Authorization Policy - ISTIO Security	6	931	July 2, 2020
How make AuthorizationPolicy work? Security	4	2111	June 23, 2020