Restrict pod to pod communication using Istio authorization

Yashwanth · December 6, 2021, 11:39pm

Trying to restrict pod to pod communication using Istio authorization, followed steps as specified in Istio Documentation. Even after applying the authorization policy not able to restrict the traffic to a specific pod, service/pod is accessible from all pods in the namespace.

Below is the authorization policy

apiVersion: security.istio.io/v1beta1

kind: AuthorizationPolicy
metadata:
  name: whitelist-service
  namespace: default
spec:
  selector
    matchLabels:
      app.kubernetes.io/name: service-A
  action: ALLOW
  rules:
  - from:
    - source:
        principals: ["cluster.local/ns/default/sa/service-B-svc-account"]  
  - to:
    - operation:
       ports: ["9090"]

Also enabled the mTLS in the namespace but still not able to restrict traffic between 2 pods.

I am still relatively new to Istio so any help pointing me into the right direction would be most appreciated!

Topic		Replies	Views
Authorization Policy - ISTIO Security	6	1083	July 2, 2020
Another AuthorizationPolicy Question - IP Whitelist for VirtualService Security	5	2049	February 11, 2021
Blocking traffic with Istio Networking	6	3640	July 11, 2019
Authorization Policies having unexpected results on istio-1.9.0 Networking security	1	546	February 23, 2021
Istio AuthorizationPolicy to do not allow users to access the pods from the namespaces where they don't have access Security	0	442	July 29, 2021

Restrict pod to pod communication using Istio authorization

Related topics