I’d like to deploy Istio so every service that is added to the mesh has an incoming deny-all policy by default. I see there is a way to create a deny-all authorization policy after the fact but I need a way to make this the default behavior until an allowed policy is explicitly applied.
(Note: I notice that Discuss screws up formatting of replies sent by responding via e-mail. My previous message one doesn’t look so bad, but a recent one dropped (or hid) text I sent.)
Thanks for the suggestion! I now have a deny-all authz policy inherited from the root namespace to all leaf namespaces. What I’m trying to achieve now is to allow the developer in a leaf namespace to create an explicit ALLOW authz policy for their services. So leaving the deny-all rule except for the new ALLOW authz policy within the leaf namespace.
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: deny-all
namespace: istio-config
spec:
action: DENY
# the rules field has an empty rule, and the policy will always match.
rules:
- {}