You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Implemented an Istio service entry for our internal service, along with an authorization policy as below.
we also have a default sidecar to restrict traffic between namespaces.
ServiceEntry:
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
........
spec:
exportTo:
- .
hosts:
- xxxxxxx.xxxxxx.svc.cluster.local
location: MESH_INTERNAL
ports:
- name: http-xxxx
number: 8080
protocol: HTTP
- name: http-yyyy
number: 8081
protocol: HTTP
resolution: NONE
AuthorizationPolicy:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
.......
spec:
action: ALLOW
rules:
- from:
- source:
principals:
- cluster.local/ns/xxxxxxx/sa/xxxxxxx
- from:
- source:
namespaces:
- yyyyyyyy
to:
- operation:
methods:
- GET
paths:
- /test
- to:
- operation:
ports:
- '8090'
selector:
matchLabels:
app: zzzzzzzz
However, after upgrading Istio to version 1.20, we've noticed the emergence of 403 errors. Interestingly, when we remove all the rules from the authorization policy, the 403 errors disappear. Any insights on what might be causing this and how to address it would be greatly appreciated.
The text was updated successfully, but these errors were encountered:
Implemented an Istio service entry for our internal service, along with an authorization policy as below.
we also have a default sidecar to restrict traffic between namespaces.
ServiceEntry:
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
........
spec:
exportTo:
- .
hosts:
- xxxxxxx.xxxxxx.svc.cluster.local
location: MESH_INTERNAL
ports:
- name: http-xxxx
number: 8080
protocol: HTTP
- name: http-yyyy
number: 8081
protocol: HTTP
resolution: NONE
AuthorizationPolicy:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
.......
spec:
action: ALLOW
rules:
- from:
- source:
principals:
- cluster.local/ns/xxxxxxx/sa/xxxxxxx
- from:
- source:
namespaces:
- yyyyyyyy
to:
- operation:
methods:
- GET
paths:
- /test
- to:
- operation:
ports:
- '8090'
selector:
matchLabels:
app: zzzzzzzz
However, after upgrading Istio to version 1.20, we've noticed the emergence of 403 errors. Interestingly, when we remove all the rules from the authorization policy, the 403 errors disappear. Any insights on what might be causing this and how to address it would be greatly appreciated.
The text was updated successfully, but these errors were encountered: