Security - Authorization Policy - 503

Kanthasamyraja · May 15, 2020, 7:24am

Hi,

Am trying to setup authorisation policy. not working.

Kubernetes on premise setup with Istio version: 1.5.1

Getting 200Ok when there is no authorisation policy.
503 Response Code

Ingressgateway access log (working when there is no authorization policy)

[2020-05-15T07:08:30.278Z] “GET /v1/delegation/test HTTP/1.1” 200 - “-” “-” 0 4 81 79 “10.40.172.33,10.32.0.1” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36” “a19876b4-12ee-9172-aa93-e405a1a89c6b” “[REPLACED-SERVERNAME]” “10.32.0.150:9091” outbound|9091||[REPLACED].[REPLACED-NAMESPACENAME].svc.cluster.local 10.32.0.153:56224 10.32.0.153:80 10.32.0.1:15044 - -

Corresponding applicaiton pod Istio-proxy log (working When there is no authorization policy)

[2020-05-15T07:08:30.279Z] “- - -” 0 - “-” “-” 1805 142 60133 - “-” “-” “-” “-” “127.0.0.1:9091” inbound|9091||[REPLACED].[REPLACED-NAMESPACENAME].svc.cluster.local 127.0.0.1:33222 10.32.0.150:9091 10.32.0.153:56224 outbound_.9091_._.[REPLACED].[REPLACED-NAMESPACENAME].svc.cluster.local -

Implementing below authorization Policy

$ cat [REPLACED]-auth-policy.yaml
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: [REPLACED]-auth-policy
namespace: [REPLACED-NAMESPACENAME]
spec:
selector:
matchLabels:
app: [REPLACED]
action: ALLOW
rules:

to:

operation:
paths: [“/v1/delegation/test”]

$

authorizationpolicy.security.istio.io/[REPLACED]-auth-policy created

Ingressgateway access log (NOT working when authorization policy applied)

[2020-05-15T07:12:54.333Z] “GET /v1/delegation/test HTTP/1.1” 503 UC “-” “-” 0 95 9 - “10.40.172.33,10.32.0.1” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36” “b1177978-3151-9629-b8cf-d97f6dc40fb6” “[REPLACED-SERVERNAME]” “10.32.0.150:9091” outbound|9091||[REPLACED].[REPLACED-NAMESPACENAME].svc.cluster.local 10.32.0.153:60850 10.32.0.153:80 10.32.0.1:33145 - -

Corresponding applicaiton pod Istio-proxy log (NOT working When authorization policy applied)

[2020-05-15T06:43:07.789Z] "- - -" 0 - "-" "-" 968 1796 1764128 - "-" "-" "-" "-" "10.41.88.60:1282" PassthroughCluster 10.32.0.150:52592 10.41.88.60:1282 10.32.0.150:52590 - -
[2020-05-15T07:12:54.334Z] "- - -" 0 - "-" "-" 0 0 8 - "-" "-" "-" "-" "127.0.0.1:9091" inbound|9091||[REPLACED].[REPLACED-NAMESPACENAME].svc.cluster.local 127.0.0.1:37848 10.32.0.150:9091 10.32.0.153:60850 outbound_.9091_._.[REPLACED].[REPLACED-NAMESPACENAME].svc.cluster.local -
[2020-05-15T06:43:38.749Z] "- - -" 0 - "-" "-" 968 1796 1757489 - "-" "-" "-" "-" "10.41.88.60:1282" PassthroughCluster 10.32.0.150:53270 10.41.88.60:1282 10.32.0.150:53268 - -

Shubham · May 15, 2020, 12:14pm

Hi
am i understanding right you can excess the service from outside cluster?(external request)
so in that case see this https://istio.io/docs/tasks/security/authorization/authz-ingress/

AFAIK Authorization policy doesn’t give 503 error

Kanthasamyraja · May 15, 2020, 10:16pm

Hi @Shubham,

Thanks for your response. Am new to Istio. kubernetes cluster on premise implementation with external LoadBalancer.

NAME                        TYPE           CLUSTER-IP       EXTERNAL-IP   PORT(S)                                              
istio-ingressgateway        LoadBalancer   10.101.110.50    <pending>     15020:32514/TCP,80:30483/TCP,443:31166/TCP,15029:31580/TCP,15030:30186/TCP,15031:32607/TCP,15032:30606/TCP,31400:30139/TCP,15443:30237/TCP   7d17h

Accessing using NodePort

Writing AuthorizationPolicy at “istio-ingressgateway” level working.

Writing AuthorizationPolicy at our custom namespace level affecting pod Liveness and Readiness probe.
Is it possible to write AuthorizationPolicy at pod/namespace level?

Thanks

Shubham · May 16, 2020, 9:25am

Hi @Kanthasamyraja
possible to write autthorization policy at worload/namespace/ mesh policy.

have a look https://istio.io/docs/concepts/security/#authorization (concept of security in istio)
may thi will help you

JimmyChen · May 18, 2020, 12:09am

There are more tasks about authorization rules here https://istio.io/docs/tasks/security/authorization/

Kanthasamyraja · May 18, 2020, 7:50am

Hi @Shubham / @JimmyChen

Thanks for time and response.

Yes. I have tried those authorizationpolicy. But not working.

Kubernetes POD is Spring Boot application
Getting 200 Ok when there is no authorisation policy. 503 Response Code when applying authorizationpolicy.

Have created this topic for the same. Could you please check initial thread on this discussion.

Shubham · May 18, 2020, 8:25am

Hi @Kanthasamyraja

have a look on this https://istio.io/docs/ops/common-problems/network-issues/#503-errors-after-setting-destination-rule

& i also find this issue on github Authorization Policy issue with 503 check it may be this will solve your problem

Topic		Replies	Views
Need help to add authorization policy to filter internal and external calls Security	5	1290	July 13, 2023
Istio 1.5 AuthorizationPolicy using JWT Security	4	1073	July 28, 2020
Authorization Policies having unexpected results on istio-1.9.0 Networking security	1	545	February 23, 2021
503 errors with AuthorizationPolicy and ALLOW with a Rule Security	3	991	January 11, 2021
Authorization not working Security	12	2996	July 16, 2019

Security - Authorization Policy - 503

Related Topics