Thank you @nrjpoddar and @hzxuzhonghu, that really helped and I got the simple use-case working using the examples, but, when I want to deny access based on ns using “source:” it does not work…
This is what I’m after:
app (namespace: dev1) —> sidecar --> (DENY from dev1 ns) Egress GW —> CNN
app (namespace: dev2) —> sidecar --> (ALLOW from dev2 ns) Egress GW —> CNN
The following, 1st authorization policy in “istio-system” ns works fine (without “source:” defined).
1st policy (blocks the request as expected):
kind: AuthorizationPolicy
metadata:
name: deny-cnn-politics-egress
spec:
selector:
matchLabels:
istio: egressgateway
action: DENY
rules:
- to:
- operation:
hosts: ["edition.cnn.com"]
paths: ["/politics"]
kubectl exec "$SOURCE_POD" -c sleep -- curl -sS -o /dev/null -D - http://edition.cnn.com/politics
HTTP/1.1 403 Forbidden
...
This Authz Pol (which uses “default” ns as source) does not work:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: deny-cnn-politics-egress
spec:
selector:
matchLabels:
istio: egressgateway
action: DENY
rules:
- from:
- source:
namespaces: ["default"]
to:
- operation:
hosts: ["edition.cnn.com"]
paths: ["/politics"]
kubectl exec "$SOURCE_POD" -c sleep -- curl -sS -o /dev/null -D - http://edition.cnn.com/politics
HTTP/1.1 301 Moved Permanently
...
Any ideas why http://edition.cnn.com/politics can still be reached using the 2nd policy although the 1st policy can block the request, as expected?
I read that mTLS mutual auth needs to be configured. I have tested the bookinfo app and verified using Kiali that all traffic between bookinfo services is secured with mTLS (lock icon). When I view the sleep pod and the egress gw in Kiali, it shows no lock icon. I would expect mTLS to be in use for AuthZ rbac to work. I assume I need to activate mTLS between the sleep pod and the egress gw. How can I get that to work, please?
I tried to add the following to the “egressgateway-for-cnn” DR, but I get 503s and the error “upstream connect error or disconnect/reset before headers. reset reason: connection failure, transport failure reason: TLS error: 268435703:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER”
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
Any more help much appreciated.
Here are all my settings, which are from the examples:
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: cnn
namespace: default
spec:
hosts:
- edition.cnn.com
ports:
- name: http-port
number: 80
protocol: HTTP
- name: https
number: 443
protocol: HTTPS
resolution: DNS
---
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: istio-egressgateway
namespace: default
spec:
selector:
istio: egressgateway
servers:
- hosts:
- edition.cnn.com
port:
name: http
number: 80
protocol: HTTP
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: egressgateway-for-cnn
namespace: default
spec:
host: istio-egressgateway.istio-system.svc.cluster.local
subsets:
- name: cnn
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: direct-cnn-through-egress-gateway
namespace: default
spec:
gateways:
- istio-egressgateway
- mesh
hosts:
- edition.cnn.com
http:
- match:
- gateways:
- mesh
port: 80
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
port:
number: 80
subset: cnn
weight: 100
- match:
- gateways:
- istio-egressgateway
port: 80
route:
- destination:
host: edition.cnn.com
port:
number: 80
weight: 100
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: deny-cnn-politics-egress
namespace: istio-system
spec:
action: DENY
rules:
- from:
- source:
namespaces:
- default
to:
- operation:
hosts:
- edition.cnn.com
paths:
- /politics
selector:
matchLabels:
istio: egressgateway