I am trying to use authorization policies to restrict http traffic to only be allowed from other services within the same namespace and from the istio-ingressgateway.
Within the same namespace I would like to be able to access all endpoints in all services but from the istio-ingress I only want to allow calling endpoints with the prefix /external/*.
To implement this I created a deny-all authorization policy. And then two others, one using a rule with namespace = ‘istio-system’ and a to operation path = “/external/*”. And another one with from namespace = <current namespace>. All policies are created in <current namespace>.
I have tried to get this to work as in the examples provided by istio but without greater success. I get ‘RBAC: access denied’ for all calls. Both coming from another service in the same namespace and when routing through the istio-ingress.
Could someone point me in the right direction?