I’m new to Istio so I’m sorry if this is a dumb question but I saw it posted elsewhere without any answer.
I would have assumed that I could set up a default to deny all traffic in a namespace and then whitelist the traffic that I want to allow. But, it seems that DENY policies are evaluated before ALLOW policies as per the documentation here:
So, how can I achieve a default to deny any traffic that doesn’t have an explicit ALLOW policy?
My reading of the documentation is that as long as you define one “Allow” authorization policy that applies to a namespace then requests that aren’t matched by an allow policy are denied.