Warning [IST0127] - External auth not kicking in with ingressgateway

Uday_Srinivasan · November 23, 2021, 11:23pm

Trying to get external auth to work with ingress gateway (no service mesh), but can’t get external auth to kick in.

istioctl analyze displays a warning that could be the root cause :
Warning [IST0127] (AuthorizationPolicy ext-authz-oauth2-proxy.bookinfo) No matching workloads for this resource with the following labels: istio=ingressgateway

However looks like the default ingressgateway POD in istio-system namespace does have the label :

kubectl get pods --selector=istio=ingressgateway -n istio-system
NAME READY STATUS RESTARTS AGE
istio-ingressgateway-8dbb57f65-lx4vg 1/1 Running 1 (5h9m ago) 7h54m

Here is the external auth policy :

kind: AuthorizationPolicy
apiVersion: security.istio.io/v1beta1
metadata:
  name: ext-authz-oauth2-proxy
  namespace: bookinfo
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  action: CUSTOM
  provider:
    name: oauth2-proxy
  rules:
    - to:
        - operation:
            #hosts: ["*"]
            #notPaths: ["/auth/*"]
            paths: ["/headers"]

thanks !

Topic		Replies	Views
Can the Istio ingressgateway proxy traffic to external HTTPS service? Networking	3	2065	September 15, 2020
Can't access my nginx pod from an external IP Networking	0	211	November 12, 2022
External service https downgraded to http	1	365	June 7, 2023
Issue with using an internal ingress	3	1128	March 27, 2019
Cannot get bookinfo and httpbin ingressgateway to work on new install 1.2.*	2	1250	July 18, 2019

Warning [IST0127] - External auth not kicking in with ingressgateway

Here is the external auth policy :

Related Topics