Trying to get external auth to work with ingress gateway (no service mesh), but can’t get external auth to kick in.
istioctl analyze displays a warning that could be the root cause :
Warning [IST0127] (AuthorizationPolicy ext-authz-oauth2-proxy.bookinfo) No matching workloads for this resource with the following labels: istio=ingressgateway
However looks like the default ingressgateway POD in istio-system namespace does have the label :
kubectl get pods --selector=istio=ingressgateway -n istio-system
NAME READY STATUS RESTARTS AGE
istio-ingressgateway-8dbb57f65-lx4vg 1/1 Running 1 (5h9m ago) 7h54m
Here is the external auth policy :
kind: AuthorizationPolicy
apiVersion: security.istio.io/v1beta1
metadata:
name: ext-authz-oauth2-proxy
namespace: bookinfo
spec:
selector:
matchLabels:
istio: ingressgateway
action: CUSTOM
provider:
name: oauth2-proxy
rules:
- to:
- operation:
#hosts: ["*"]
#notPaths: ["/auth/*"]
paths: ["/headers"]
thanks !