I’m trying to design an architecture where only certain pods have for example access to S3 and other pods have access to archive.ubuntu.com.
What I’ve designed so far is:
Use Calico NetworkPolicies to deny all outward traffic fro the application except for DNS and to istio-system.
Created gateways and VirtualServices for archive.ubuntu.com to direct to an egress gateway.
Set STRICT peer authentication policies in the application namespace.
At this point traffic to archive.ubuntu.com is flowing nicely, but for all pods.
So I attempted an AuthorizationPolicy like this:
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: ubuntu-archive namespace: istio-system spec: selector: matchLabels: app: istio-egressgateway action: ALLOW rules: - from: - source: principals: ["cluster.local/ns/default/sa/httpbin"]
But now I get RBAC access denied.
Then I tried adding this:
trafficPolicy: tls: mode: ISTIO_MUTUAL
To the destination rule, and now get a “upstream connect error or disconnect/reset before headers. reset reason: connection failure”