Target of the policy is the service (kubectl get svc), and the naming convention to mark the service protocol as HTTP is to prefix it with http or https like in my service’s example:
ports:
- name: http-letsencrypt
port: 9080
protocol: TCP
1 Like
Thanks for the clarification.
Seemingly adding http- prefix to svc port name and removing mtls gets me a step closter.
Has anyone figured this out? I tried everything I could find with no luck. As mentioned before, the MeshPolicy achieves the desired effect, but the Policy doesn’t work at all. I opened an issue on the Istio GH to try to get some answers.
I am having the same issue. Policy is not taking effect. here is my policy yaml.
apiVersion: “authentication.istio.io/v1alpha1”
kind: “Policy”
metadata:
name: aspendemo
spec:
targets:
- name: api
origins: - jwt:
issuer: “http://104.20…”
jwksUri: “http://104.20…/.well-known/openid-configuration/jwks”
principalBinding: USE_ORIGIN
When i use MeshPolicy looks like it get enforced
Can somone help? is the product not stable.
Hello everyone,
switching from:
apiVersion: v1
kind: Service
metadata:
labels:
app: my-service
name: my-service
spec:
ports:
- port: 8080
protocol: TCP
selector:
app: my-service
type: ClusterIP
to:
apiVersion: v1
kind: Service
metadata:
labels:
app: my-service
name: my-service
spec:
ports:
- port: 8080
protocol: TCP
name: http
selector:
app: my-service
type: ClusterIP
solved the problem as Policy file is now taken and used correctly
Policy configuration:
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
name: jwt-policy
spec:
targets:
- name: ent-man-serv
ports:
- number: 8080
...