Security - Authorization Policy - 503

Hi,

Am trying to setup authorisation policy. not working.

Kubernetes on premise setup with Istio version: 1.5.1

Getting 200Ok when there is no authorisation policy.
503 Response Code

Ingressgateway access log (working when there is no authorization policy)

[2020-05-15T07:08:30.278Z] “GET /v1/delegation/test HTTP/1.1” 200 - “-” “-” 0 4 81 79 “10.40.172.33,10.32.0.1” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36” “a19876b4-12ee-9172-aa93-e405a1a89c6b” “[REPLACED-SERVERNAME]” “10.32.0.150:9091” outbound|9091||[REPLACED].[REPLACED-NAMESPACENAME].svc.cluster.local 10.32.0.153:56224 10.32.0.153:80 10.32.0.1:15044 - -

Corresponding applicaiton pod Istio-proxy log (working When there is no authorization policy)

[2020-05-15T07:08:30.279Z] “- - -” 0 - “-” “-” 1805 142 60133 - “-” “-” “-” “-” “127.0.0.1:9091” inbound|9091||[REPLACED].[REPLACED-NAMESPACENAME].svc.cluster.local 127.0.0.1:33222 10.32.0.150:9091 10.32.0.153:56224 outbound_.9091_._.[REPLACED].[REPLACED-NAMESPACENAME].svc.cluster.local -

Implementing below authorization Policy

$ cat [REPLACED]-auth-policy.yaml
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: [REPLACED]-auth-policy
namespace: [REPLACED-NAMESPACENAME]
spec:
selector:
matchLabels:
app: [REPLACED]
action: ALLOW
rules:

  • to:
    • operation:
      paths: ["/v1/delegation/test"]

$

authorizationpolicy.security.istio.io/[REPLACED]-auth-policy created

Ingressgateway access log (NOT working when authorization policy applied)

[2020-05-15T07:12:54.333Z] “GET /v1/delegation/test HTTP/1.1” 503 UC “-” “-” 0 95 9 - “10.40.172.33,10.32.0.1” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36” “b1177978-3151-9629-b8cf-d97f6dc40fb6” “[REPLACED-SERVERNAME]” “10.32.0.150:9091” outbound|9091||[REPLACED].[REPLACED-NAMESPACENAME].svc.cluster.local 10.32.0.153:60850 10.32.0.153:80 10.32.0.1:33145 - -

Corresponding applicaiton pod Istio-proxy log (NOT working When authorization policy applied)

[2020-05-15T06:43:07.789Z] "- - -" 0 - "-" "-" 968 1796 1764128 - "-" "-" "-" "-" "10.41.88.60:1282" PassthroughCluster 10.32.0.150:52592 10.41.88.60:1282 10.32.0.150:52590 - -
[2020-05-15T07:12:54.334Z] "- - -" 0 - "-" "-" 0 0 8 - "-" "-" "-" "-" "127.0.0.1:9091" inbound|9091||[REPLACED].[REPLACED-NAMESPACENAME].svc.cluster.local 127.0.0.1:37848 10.32.0.150:9091 10.32.0.153:60850 outbound_.9091_._.[REPLACED].[REPLACED-NAMESPACENAME].svc.cluster.local -
[2020-05-15T06:43:38.749Z] "- - -" 0 - "-" "-" 968 1796 1757489 - "-" "-" "-" "-" "10.41.88.60:1282" PassthroughCluster 10.32.0.150:53270 10.41.88.60:1282 10.32.0.150:53268 - -

Hi
am i understanding right you can excess the service from outside cluster?(external request)
so in that case see this https://istio.io/docs/tasks/security/authorization/authz-ingress/

AFAIK Authorization policy doesn’t give 503 error

Hi @Shubham,

Thanks for your response. Am new to Istio. kubernetes cluster on premise implementation with external LoadBalancer.

NAME                        TYPE           CLUSTER-IP       EXTERNAL-IP   PORT(S)                                              
istio-ingressgateway        LoadBalancer   10.101.110.50    <pending>     15020:32514/TCP,80:30483/TCP,443:31166/TCP,15029:31580/TCP,15030:30186/TCP,15031:32607/TCP,15032:30606/TCP,31400:30139/TCP,15443:30237/TCP   7d17h

Accessing using NodePort

Writing AuthorizationPolicy at “istio-ingressgateway” level working.

  • Writing AuthorizationPolicy at our custom namespace level affecting pod Liveness and Readiness probe.
  • Is it possible to write AuthorizationPolicy at pod/namespace level?

Thanks

Hi @Kanthasamyraja
possible to write autthorization policy at worload/namespace/ mesh policy.

have a look https://istio.io/docs/concepts/security/#authorization (concept of security in istio)
may thi will help you

There are more tasks about authorization rules here https://istio.io/docs/tasks/security/authorization/

Hi @Shubham / @JimmyChen

Thanks for time and response.

Yes. I have tried those authorizationpolicy. But not working.

Kubernetes POD is Spring Boot application
Getting 200 Ok when there is no authorisation policy. 503 Response Code when applying authorizationpolicy.

Have created this topic for the same. Could you please check initial thread on this discussion.

Hi @Kanthasamyraja

have a look on this https://istio.io/docs/ops/common-problems/network-issues/#503-errors-after-setting-destination-rule

& i also find this issue on github Authorization Policy issue with 503 check it may be this will solve your problem