Istio exclusion principle not woking

Hi team,

my authenticator is this,

apiVersion: security.istio.io/v1beta1

kind: RequestAuthentication
metadata:
name: farmsanta-dev-authenticator
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
jwtRules:

Next my authorizer is

apiVersion: security.istio.io/v1beta1

kind: AuthorizationPolicy
metadata:
name: farmsanta-dev-only-authorized-api
namespace: istio-system
spec:
action: ALLOW
rules:

  • from:
    • source:
      requestPrincipals: ["*"]

My need is to exclude health api from jwt, for that i created another policy,

apiVersion: "security.istio.io/v1beta1"

kind: AuthorizationPolicy
metadata:
name: “farmsanta-dev-disable-jwt-for-healthz”
namespace: dev
spec:
selector:
matchLabels:
istio: ingressgateway
action: DENY
rules:

  • from:
    • source:
      notRequestPrincipals: ["*"]
      to:
    • operation:
      notPaths: ["/message/ping","/user/ping"]

but still am not getting this worked, istio expected /message/ping with token. can somebody help on this as am new to istio ?

The proper way to exclude health api from jwt is to just add them to the farmsanta-dev-only-authorized-api authorization policy as a new rule, like the following

apiVersion: "security.istio.io/v1beta1"
kind: "AuthorizationPolicy"
metadata:
  name: farmsanta-dev-only-authorized-api
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  action: ALLOW
  rules:
  - from:
    - source:
        requestPrincipals: ["*"]
  - to:
     - operation:
         paths: ["/message/ping","/user/ping"]

Creating a deny policy will not work because deny policy is evaluated before allow policy, your request will still be denied because it’s not in the allow policy.