2

I created an istio mesh setup as per this guide.

Now my goal is to only allow access to product page service from the same namespace default, not from another namespace.

so I created the below AuthorizationPolicy. If I apply only the first policy, it denies all requests very well from any namespace. But if you see the second policy, I only allowed the default namespace, still, it allowed access to product page service from another namespace.

Can you help me to find my configuration mistake?

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage
 namespace: default
spec:
 selector:
   matchLabels:
     app: productpage
     version: v1
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage-all
 namespace: default
spec:
 selector:
   matchLabels:
     app: productpage
     version: v1
 action: ALLOW
 rules:
  - to:
    - operation:
        ports: ["9080"]
  - from:
    - source:
        namespaces: ["default"]
Wytrzymały Wiktor
  • 11,492
  • 5
  • 29
  • 37
k''
  • 702
  • 1
  • 8
  • 19

1 Answers1

0

Option #1

Instead of creating ALLOW policy, you should explicitly DENY any traffic from namespaces other than default.

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage-all
 namespace: default
spec:
 selector:
   matchLabels:
     app: productpage
     version: v1
 action: DENY
 rules:
  - to:
    - operation:
        ports: ["9080"]
  - from:
    - source:
        notNamespaces: ["default"]

DENY policy takes precedence over ALLOW policy.

Create PeerAuthentication with STRICT mTLS mode:

Option #2

Optionally you could isolate default namespace with mTLS enabled

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: test
  namespace: default
spec:
  mtls:
    mode: STRICT

Create ALLOW policy inside default namespace:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: namespace-isolation
  namespace: default
spec:
  action: ALLOW
  rules:
  - from:
    - source:
        namespaces: ["default"]
  • Still not worked. both namespace default and istio are mtls strict and injection enabled. I used below command to call productpage service from ubuntu pod in istio namespace. kubectl exec -it -n istio "$(kubectl get pod -n istio -l app=ubuntu -o jsonpath='{.items[0].metadata.name}')" -- curl -sS productpage.default.svc.cluster.local:9080/productpage | grep -o ".*" – k'' Feb 21 '22 at 18:57
  • I added second possible solution to the answer, see if it helps. –  Feb 21 '22 at 19:57
  • Appriciate your help!!. still does not work, might be your solution is correct but I'm missing something. I will upload all files to github from initial step minikube start, will see what happen. Thanks. – k'' Feb 21 '22 at 21:17