VirtualService always returns 403

pedrohjordao · September 25, 2019, 10:40am

Hello,

I’ve been playing around with Istio authentication, more or less following the guides on the references.

I have the following service and virtual service:

# Sets up de deployment definition
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  labels:
    app: postauth
  name: postauth
  # for now we use a specific dev namespace
  namespace: dev
spec:
  replicas: 1
  selector:
    matchLabels:
      app: postauth
  template:
    metadata:
      labels:
        app: postauth
    spec:
      containers:
        - name: postauth
          image: local/postauth:v1
          ports:
            - containerPort: 8080
          env:
            # env variables, these we get from a configmap
            - name: DEV_DATABASE_URL
              valueFrom:
                configMapKeyRef:
                  name: postgres-config
                  key: url
            - name: DEV_POSTGRES_USER
              valueFrom:
                configMapKeyRef:
                  name: postgres-config
                  key: user
            # and this from a secret
            - name: DEV_POSTGRES_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: postgres-password
                  key: password
          # this checks if the service is STILL running
          livenessProbe:
            httpGet:
              port: 8080
              path: /actuator/health
            initialDelaySeconds: 15
            periodSeconds: 5
            timeoutSeconds: 2
          # this checks if the service can be exposed
          readinessProbe:
            httpGet:
              port: 8080
              path: /actuator/health
            initialDelaySeconds: 10
            periodSeconds: 3
---
# Sets up the service
apiVersion: v1
kind: Service
metadata:
  name: postauth
  namespace: dev
  labels:
    app: postauth
spec:
  ports:
    - name: http
      port: 8080
      targetPort: 8080
  selector:
    app: postauth
   ---
   apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: dev-virtual-service
  namespace: dev
spec:
  hosts:
    - "*"
  gateways:
    - http-gateway
  http:
    - route:
        - destination:
            port:
              number: 8080
            host: postauth.dev.svc.cluster.local

I haven’t added any policies yet and the app itself should make the /actuator/health endpoint available without authentication. The issue is that every time i try to access any endpoint in the application i always get a 403 with the message

Whitelabel Error Page

This application has no explicit mapping for /error, so you are seeing this as a fallback.
Wed Sep 25 10:14:46 GMT 2019
There was an unexpected error (type=Forbidden, status=403).
Access Denied

I’ve tried removing the whole namespace and starting from scratch, but i always get the same result. Am I missing something?

Topic		Replies	Views
RBAC Not working while trying to allow only from a namespace	8	1642	September 4, 2019
Certificates authentication Security	4	514	January 31, 2019
Istio AuthN policy for Service deployed in a different namespace	4	563	December 2, 2019
Struggling with JWT auth Security	1	524	January 4, 2022
Another AuthorizationPolicy Question - IP Whitelist for VirtualService Security	5	1770	February 11, 2021

VirtualService always returns 403

Related Topics