Authorizationpolicy issue with readiness, liveness probes throw 403

Hi,

Name: probes Namespace: app-platform Labels: <none> Annotations: <none> API Version: security.istio.io/v1beta1 Kind: AuthorizationPolicy Metadata: Creation Timestamp: 2019-12-17T09:07:45Z Generation: 1 Resource Version: 188723 Self Link: /apis/security.istio.io/v1beta1/namespaces/app-platform/authorizationpolicies/probes UID: b0813be6-20ac-11ea-afdc-ce6838e62bd6 Spec: Rules: From: Source: Namespaces: app-platform To: Operation: Hosts: my-app.app-platform.svc.cluster.local Methods: GET Paths: /actuator/health Ports: 8080

Facing below error
2019-12-17T08:46:28.544162Z debug rbac ignored HTTP permission for TCP service: hosts([my-app.app-platform.svc.cluster.local])
2019-12-17T08:46:28.544185Z debug rbac role skipped for no permission matched
2019-12-17T08:46:28.544222Z debug rbac built tcp filter config: {envoy.filters.network.rbac 0xc002408850 {} 0}
2019-12-17T08:46:28.544276Z debug rbac added TCP filter to filter chain 0

Thanks,
Saif

It’s likely that the readiness probe doesn’t carry the source information or the host is not my-app.app-platform.svc.cluster.local. Can you remove them (both, or one-by-one) to see if it works?

Also, you may want to check this to bypass proxy for probe requests.

Thank you, I was able to overcome the issue. I have one question though w.r.t behavior of Authorization policy

suppose I have my-app, backend-app and db-app within the same namespace and I want to block access from my-app to db-app by using Authorization policy (service-account based). So, my question is

1. Is the Authorizationpolicy not applicable to service to service communication within a namespace
2. Is the Authorizationpolicy not applicable to service to service communication from a different namespace

I observed RBAC access denied when I was querying from external using virtual service.