Workload evidence when using RBAC policy

Hello, when using RBAC with Istio and some workload is denied by policies, e.g. AuthorizationPolicy, Istio returns 403 - RBAC: access denied. Is it possible to configure Istio/Envoy to return 404 Not Found instead to “hide” workload existence?

currently this is not supported by the authorization policy but I think it’s a valid feature request that we can add at least in the Envoy level, feel free to open a feature request on github.

1 Like

GitHub issue for reference Workload evidence when using RBAC policy · Issue #31452 · istio/istio · GitHub

I believe this could be done with an EnvoyFilter.

But I tend to dislike to rely on those too much.