In trying to explore using an external authorization provider (using an AuthorizationPolicy with an action value of CUSTOM, and corresponding provider configuration there and in Istio’s meshConfig), my service’s Istio/Envoy sidecar logs message like this:
... debug envoy rbac enforced denied, matched policy default-deny-all-due-to-bad-CUSTOM-action
How do I investigate what’s wrong? What’s bad about my action value of CUSTOM, or what’s going wrong in Istio/Envoy’s attempt to call my custom authorization provider?
(Istio/Envoy doesn’t seem to log anything about its attempt to call my envoyExtAuthzHttp provider, which is an OAuth2-Proxy service, and OAuth2-Proxy’s container’s log doesn’t seem to show any activity after startup.)
(I found the source of the string default-deny-all-due-to-bad-CUSTOM-action in some source, but can’t tell where it’s used or what condition causes it be used.)