I have a local k8s cluster with istio and metallb and keycloak (I did not configure it) and I am learning istio. I have an nginx pod and I am trying to configure the istio gateway, virtual service, etc. The workflow would be client --https–> istio --http–> nginx pod. I got all the different pieces of the puzzle in place but I am receiving a 403 Unauthorized request error when I try to access nginx. The istio proxy sidecar container log doesn’t show my requests.
istio-ingressgateway logs shows
kubectl logs -n istio-system -l app=istio-ingressgateway -f | grep nginx
[2022-11-15T13:26:13.285Z] "GET / HTTP/2" 403 - "-" 0 20 1 - "10.46.128.0" "curl/7.68.0" "9a7def99-915a-4dca-be36-892c09dc8c3f" "my-nginx-test.alps.cscs.ch" "-" - - 10.40.128.12:443 10.46.128.0:15551 my-nginx-test.alps.cscs.ch -
I have no idea what’s going on but it looks like something else is catching them and returning the 403?
- Could someone please help me understand what could be happening?
- Is there a way to tell istio to check if a client has authenticated against keycloak or something else?
- which component would be responsible for that?
- where can I find documentation about it?