Hey! We have a specific case where we want to control egress traffic on our kubernetes clusters, and we are considering to use Istio for this.
I have configured egress gateway successfully and would like to deploy AutorizationPolicy which would enable me to whitelist specific external endpoints per namespace/workload, however i would like to leave all cluster-internal (mesh internal) traffic intact (i don’t want to define policies for all internal traffic for now).
I am not sure i am doing it right way, but it seems that in AuthorizationPolicy there is no distinction between MESH_EXTERNAL and MESH network, though i am not able to achieve this. Currently i have a default allow-nothing policy:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-nothing
namespace: istio-system
spec:
{}
And then i whitelist external endpoint per workload:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: external-allow-developers-google-com
spec:
action: ALLOW
rules:
- from:
- source:
namespaces:
- "sleep"
to:
- operation:
methods: ["GET"]
when:
- key: connection.sni
values:
- developers.google.com
However with this approach all mesh internal traffic is being denies also. I was thinking about creating a rule to allow any traffic where SNI is *.svc.cluster.local, however I am pretty sure this will cause issues as probably not all microservices use FQDNs when interacting with internal services:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-internal
namespace: istio-system
spec:
action: ALLOW
rules:
- from:
- source:
principals: ["*"]
when:
- key: connection.sni
values:
- '*.svc.cluster.local'
Is there a straight forward way to allow all mesh internal traffic, while explicitly denying mesh external traffic?