I have been working on extending the GCP Online Boutique microservices example, and I would like to add Istio AuthorizationPolicy resources to the system.
Concretely, I want an AuthorizationPolicy to block all not-whitelisted traffic to cartservice, and I want to whitelist traffic from frontend to cartservice.
Currently, I am able to block traffic with an AuthorizationPolicy, but I cannot whitelist traffic by principal or namespace.
For context, here is my system setup. (Anything not explicitly stated here is the default from the demo linked above)
Istio Version:
$ istioctl version
client version: 1.4.6
control plane version: 1.4.6-gke.0
data plane version: 1.4.6-gke.0 (16 proxies)
Command I Ran to Enforce Strict mTLS:
gcloud beta container clusters update <cluster-name> --update-addons=Istio=ENABLED \--istio-config=auth=MTLS_STRICT --zone=us-central1-a
I added this ServiceAccount using kubectl apply -f:
apiVersion: v1
kind: ServiceAccount
metadata:
name: frontend-serviceaccount
---
To make this work, I added one line to the spec for the frontend Deployment, which was:
serviceAccountName: frontend-serviceaccount
Lastly, this is the AuthorizationPolicy I am trying to use to only permit traffic from the frontend to talk to the cartservice:
kind: AuthorizationPolicy
metadata:
name: allow-cart-and-frontend-comm
namespace: default
spec:
selector:
matchLabels:
app: cartservice
rules:
- from:
- source:
namespaces:
- "default"
# principals: ["cluster.local/ns/default/sa/frontend-serviceaccount", "frontend", "frontend-serviceaccount", "frontend-serviceaccount.default.sa.cluster.local", "/api/v1/namespaces/default/serviceaccounts/frontend-serviceaccount", "frontend.default.svc.cluster.local"]
The Principals commented out above are all of the different ways I have tried to refer to the service account defined above, and neither them nor the namespace work properly - as soon as this is applied the frontend cannot talk to the cartservice.