AuthorizationPolicy and Namespaces

Fredrik · February 20, 2020, 10:14am

Hi
I am trying to use authorization policies to restrict http traffic to only be allowed from other services within the same namespace and from the istio-ingressgateway.

Within the same namespace I would like to be able to access all endpoints in all services but from the istio-ingress I only want to allow calling endpoints with the prefix /external/*.

To implement this I created a deny-all authorization policy. And then two others, one using a rule with namespace = ‘istio-system’ and a to operation path = “/external/*”. And another one with from namespace = <current namespace>. All policies are created in <current namespace>.

I have tried to get this to work as in the examples provided by istio but without greater success. I get ‘RBAC: access denied’ for all calls. Both coming from another service in the same namespace and when routing through the istio-ingress.
Could someone point me in the right direction?

Cheers

Fredrik · February 21, 2020, 2:06pm

Ok, I’ll answer this myself
To have namespace and principal as source rules you have to have mTLS enabled in your mesh.
This is not stated in the reference part of the documentation but can be found in the ‘Tasks’ section as a note in one of the examples.
Cheers

Topic		Replies	Views
Restricting access from one workload to other workload in the same mesh Security	2	548	December 12, 2022
Authorization Policy - ISTIO Security	6	1083	July 2, 2020
Another AuthorizationPolicy Question - IP Whitelist for VirtualService Security	5	2049	February 11, 2021
How to deny/allow connections to external services by source namespace? Security	5	3257	June 17, 2021
Authorization policy istio 1.4+ is not letting whitelist service identity such as service account, namespace for traffic coming from non-mesh Security	2	497	January 28, 2021

AuthorizationPolicy and Namespaces

Related topics