Hi, hope all’s well.
We’re trying to restrict the serviceA to serviceB communication in Istio mesh and want all the services to allow traffic from a specific source (Istio Ingress). Can you recommend the best security practice to achieve this?
If this info is helpful - we also have PeerAuthentication mesh-wide policy in place. The traffic between services in all namespaces is encrypted.
I’d suggest you to use AuthorizationPolicy
hi @rafaelmnatali, thank you for your valuable suggestion. I did use the Authorization Policy with the source principal but that didn’t work for some reason.
I ended up using the rules to capture the source traffic based on host header. This applied to the whole mesh network.
- key: request.headers[host]