Restrict pod to pod communication using Istio authorization

Yashwanth · December 6, 2021, 11:39pm

Trying to restrict pod to pod communication using Istio authorization, followed steps as specified in Istio Documentation. Even after applying the authorization policy not able to restrict the traffic to a specific pod, service/pod is accessible from all pods in the namespace.

Below is the authorization policy

apiVersion: security.istio.io/v1beta1

kind: AuthorizationPolicy
metadata:
  name: whitelist-service
  namespace: default
spec:
  selector
    matchLabels:
      app.kubernetes.io/name: service-A
  action: ALLOW
  rules:
  - from:
    - source:
        principals: ["cluster.local/ns/default/sa/service-B-svc-account"]  
  - to:
    - operation:
       ports: ["9090"]

Also enabled the mTLS in the namespace but still not able to restrict traffic between 2 pods.

I am still relatively new to Istio so any help pointing me into the right direction would be most appreciated!

Topic		Replies	Views
Authorization Policy - ISTIO Security	6	933	July 2, 2020
Another AuthorizationPolicy Question - IP Whitelist for VirtualService Security	5	1770	February 11, 2021
Authorization Policies having unexpected results on istio-1.9.0 Networking security	1	489	February 23, 2021
Istio AuthorizationPolicy to do not allow users to access the pods from the namespaces where they don't have access Security	0	403	July 29, 2021
Restrict access from one service to another Security	12	5942	April 21, 2023

Restrict pod to pod communication using Istio authorization

Related Topics