Hi, hope all’s well.
We’re trying to restrict the serviceA to serviceB communication in Istio mesh and want all the services to allow traffic from a specific source (Istio Ingress). Can you recommend the best security practice to achieve this?
If this info is helpful - we also have PeerAuthentication mesh-wide policy in place. The traffic between services in all namespaces is encrypted.
Thank you.
I’d suggest you to use AuthorizationPolicy
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: app
namespace: ns
spec:
action: ALLOW
rules:
- from:
- source:
principals:
- cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account
to:
- operation:
ports:
- "8080"
selector:
matchLabels:
app: app
hi @rafaelmnatali, thank you for your valuable suggestion. I did use the Authorization Policy with the source principal but that didn’t work for some reason.
I ended up using the rules to capture the source traffic based on host header. This applied to the whole mesh network.
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: auth-policy
namespace: root-namespace
spec:
action: ALLOW
rules:
- when:
- key: request.headers[host]
values: ["<endpoint>"]