Online Boutique Extensions

I have been working on extending the GCP Online Boutique microservices example, and I would like to add Istio AuthorizationPolicy resources to the system.

Concretely, I want an AuthorizationPolicy to block all not-whitelisted traffic to cartservice, and I want to whitelist traffic from frontend to cartservice.

Currently, I am able to block traffic with an AuthorizationPolicy, but I cannot whitelist traffic by principal or namespace.

For context, here is my system setup. (Anything not explicitly stated here is the default from the demo linked above)

Istio Version:

$ istioctl version
client version: 1.4.6
control plane version: 1.4.6-gke.0
data plane version: 1.4.6-gke.0 (16 proxies)

Command I Ran to Enforce Strict mTLS:

gcloud beta container clusters update <cluster-name> --update-addons=Istio=ENABLED \--istio-config=auth=MTLS_STRICT --zone=us-central1-a

I added this ServiceAccount using kubectl apply -f:

apiVersion: v1
kind: ServiceAccount
  name: frontend-serviceaccount

To make this work, I added one line to the spec for the frontend Deployment, which was:

serviceAccountName: frontend-serviceaccount

Lastly, this is the AuthorizationPolicy I am trying to use to only permit traffic from the frontend to talk to the cartservice:

kind: AuthorizationPolicy
 name: allow-cart-and-frontend-comm
 namespace: default
     app: cartservice
  - from:
    - source:
         - "default"
      # principals: ["cluster.local/ns/default/sa/frontend-serviceaccount", "frontend", "frontend-serviceaccount", "", "/api/v1/namespaces/default/serviceaccounts/frontend-serviceaccount", "frontend.default.svc.cluster.local"]

The Principals commented out above are all of the different ways I have tried to refer to the service account defined above, and neither them nor the namespace work properly - as soon as this is applied the frontend cannot talk to the cartservice.

Hmm, this is the official doc mostly closed to what you are trying to do

So you confirmed the namespace and service account is correct as default/frontend-serviceaccount?

These namespace and principals require the mTLS to work. Does request succeed when you only enable mTLS, without rbac?

I note your Istio version is quite old. 1.4 is out of support. I would upgrade to 1.6 (most recent version) and use the setup guide I mentioned above as a successful base line, see where’s the delta of the microservice demo.