Getting 403 unauthorised request

I have a local k8s cluster with istio and metallb and keycloak (I did not configure it) and I am learning istio. I have an nginx pod and I am trying to configure the istio gateway, virtual service, etc. The workflow would be client --https–> istio --http–> nginx pod. I got all the different pieces of the puzzle in place but I am receiving a 403 Unauthorized request error when I try to access nginx. The istio proxy sidecar container log doesn’t show my requests.

istio-ingressgateway logs shows

kubectl logs -n istio-system -l app=istio-ingressgateway  -f | grep nginx
[2022-11-15T13:26:13.285Z] "GET / HTTP/2" 403 - "-" 0 20 1 - "10.46.128.0" "curl/7.68.0" "9a7def99-915a-4dca-be36-892c09dc8c3f" "my-nginx-test.alps.cscs.ch" "-" - - 10.40.128.12:443 10.46.128.0:15551 my-nginx-test.alps.cscs.ch -

I have no idea what’s going on but it looks like something else is catching them and returning the 403?

  • Could someone please help me understand what could be happening?
  • Is there a way to tell istio to check if a client has authenticated against keycloak or something else?
  • which component would be responsible for that?
  • where can I find documentation about it?