Workload evidence when using RBAC policy

jaygridley · March 9, 2021, 1:46pm

Hello, when using RBAC with Istio and some workload is denied by policies, e.g. AuthorizationPolicy, Istio returns 403 - RBAC: access denied. Is it possible to configure Istio/Envoy to return 404 Not Found instead to “hide” workload existence?

YangminZhu · March 9, 2021, 7:41pm

currently this is not supported by the authorization policy but I think it’s a valid feature request that we can add at least in the Envoy level, feel free to open a feature request on github.

jaygridley · March 13, 2021, 6:43pm

GitHub issue for reference Workload evidence when using RBAC policy · Issue #31452 · istio/istio · GitHub

revl-ca · March 15, 2021, 12:33pm

I believe this could be done with an EnvoyFilter.

But I tend to dislike to rely on those too much.

Topic		Replies	Views
Istio 1.5 AuthorizationPolicy using JWT Security	4	972	July 28, 2020
External Authorization with OPA is not working Security	0	461	September 7, 2022
RBAC returns either 403 or 302 for each route randomly Security	3	846	May 30, 2019
Ingress gateway IP whitelist with AuthorizationPolicy	7	3440	March 11, 2020
RBAC denied for connection check	0	493	August 29, 2019

Workload evidence when using RBAC policy

Related Topics