Help with setting external auth on ingress and namespace #49828
Unanswered
kozomonster
asked this question in
Q&A
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Help with setting external auth on ingress and namespace
We have an issue with setting up AuthorizationPolicy.
Our case requires forwarding each request (from outside the cluster and inside the cluster) to an "authorizer" service.
Authorizer is a service deployed on the cluster, that communicates with grpc on port 9000.
All services reside in the same namespace -
apps-namespace
.We were able to set the AuthorizationPolicy for the requests that come from outside, and it works very well:
Issue has started when we started to use the internal DNS for some communication between services.
When the request from service A goes to service B inside the cluster (using the http://b.namespace.svc.cluster etc), the policy is not applied, so it misses the token that authorizer app needs to add to it.
We tried to apply a new policy to the services namespace, as in documentation:
But it breaks Istio proxy. The requests are multiplied when send to authorizer, the notPaths do not work in this case. This happens for the services that are requesed first from outside and go through Ingres.
The internal calls between services seem to work.
The services use port 80m target 8080, http, the mTLS is strice on cluster.
Can someone please advise us how we can achieve this authorizer setup to work properly?
We thought that the easiest solution would be to filter the requests with
from PA
condition inauthorizer-namespace
policy, but it is not possible in the CUSTOM version.Beta Was this translation helpful? Give feedback.
All reactions