Istio 1.6.4: Authorisation policy ALLOW is denying

HI,
I am trying to restrict access to my db namespaces and allow access only to service namespace

When I create a Authorization policy for ALLOW I am not getting the expected result and its denied for all, while for DENY it is working perfectly fine, Please help to debug this issue, what are the other parameters to consider

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: tcp-policy
namespace: db-ns
spec:
action: ALLOW
rules:
- from:
- source:
namespaces: [“service-ns”]

Please see I have enabled MTLS cluster wide and also have a destination rule for the service namespace to talk to kafka namespace.

Regards
Sudhamsh

Hi @Sudhamsh_Kandukuri

Deny policies take precedence over allow policies. so if you would apply deny for all then it has higher priority than allow policy(tcp-policy)
see this

if that is not the case can you share the deny policy you are using.

may be this will help you.

Thanks for the reply Shubam,

I am not having allow and deny together, As I was not getting the desired output with ALLOW action, I was trying deny to check if Authorization policy is working,

My problem is ALLOW policies are not working as expected, its just denying for all pods in the service namespace to db namespace after I apply Authorization policy with ALLOW action

Regards
Sudhamsh

Hi
oh, it should work don’t know why it should not work here. can you give some more info like the destination rule which you applied etc.
also check it any deny policy is there or not.

The following is the destinationRule

apiVersion: “networking.istio.io/v1alpha3”
kind: “DestinationRule”
metadata:
name: service-kafka-mtls-disable
namespace: service-ns
spec:
host: “*.service-kafka.svc.cluster.local”
trafficPolicy:
tls:
mode: DISABLE

Regards
Sudhamsh

Am i understanding right you have to access svc in kafka ns from service ns and you defined destination rule service-ns (client side) not in the ns where service is deployed(kafka ns)and disable the tls mode for that. Not sure may be it affects others connection also bcz namespace field requires mTLS enabled https://istio.io/latest/docs/reference/config/security/authorization-policy/#Source

try to apply DR in the kafka ns.(svc deployed) or change this mode to ISTIO_MUTUAL or MUTUAL.

May be this will help you.

Yes, your understanding is right, Will try to change the DR to Kafka and check

perhaps this link would help

Thanks for the link @Sabyasachi2k

I have a basic question, can Authorization policy be implemented between namespaces, most of the examples I see are in the same namespace.

My use-case is as follows with the following namespaces:

Service : service-ns
Database: db-ns
Kafka: kafka-ns (without sidecar, have Destination Rule (DR) in kafka)[@Shubham I have now changed the DR ]

Can I have a policy such that only the pods in Service-ns have access to the svc in db-ns on port 27017 [TCP port] and which namespace that policy should reside.

The below example is also within same namespace:

Looking for help

Sure you can. Keep adding whatever ns you want to allow access in the from namespace section. It should work.