AuthorizationPolicy and Namespaces

I am trying to use authorization policies to restrict http traffic to only be allowed from other services within the same namespace and from the istio-ingressgateway.

Within the same namespace I would like to be able to access all endpoints in all services but from the istio-ingress I only want to allow calling endpoints with the prefix /external/*.

To implement this I created a deny-all authorization policy. And then two others, one using a rule with namespace = ‘istio-system’ and a to operation path = “/external/*”. And another one with from namespace = <current namespace>. All policies are created in <current namespace>.

I have tried to get this to work as in the examples provided by istio but without greater success. I get ‘RBAC: access denied’ for all calls. Both coming from another service in the same namespace and when routing through the istio-ingress.
Could someone point me in the right direction?


1 Like

Ok, I’ll answer this myself :slight_smile:
To have namespace and principal as source rules you have to have mTLS enabled in your mesh.
This is not stated in the reference part of the documentation but can be found in the ‘Tasks’ section as a note in one of the examples.

1 Like