Istio AuthorizationPolicy `to` rule matching nothing and returning 503

Question

This auth policy should allow all routes:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allow-all
  namespace: qcust
spec:
  action: ALLOW
  rules:
    - to:
        - operation:
            paths:
              - "*"

Instead it returns a 503.

The issue is the same whether I'm using paths, methods or hosts in the to rule. I would expect any request to be allowed through with this policy. Or if rbac auth fails, it should at least return a 403. Instead, I get a 503 no matter the path/host/method. It appears that none of those fields are being passed to the downstream pod.

Sidecar proxy log:

2023-03-28T15:52:54.146801Z debug   envoy conn_handler  [C21367] new connection from 10.42.0.12:47912
2023-03-28T15:52:54.148279Z debug   envoy rbac  checking connection: requestedServerName: outbound_.8088_._.qcust-front-end-external.qcust.svc.cluster.local, sourceIP: 10.42.0.12:47912, directRemoteIP: 10.42.0.12:47912,remoteIP: 10.42.0.12:47912, localAddress: 10.42.0.25:3000, ssl: uriSanPeerCertificate: spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account, dnsSanPeerCertificate: , subjectPeerCertificate: O=, dynamicMetadata:
2023-03-28T15:52:54.148654Z debug   envoy rbac  enforced denied, matched policy none
2023-03-28T15:52:54.149509Z debug   envoy conn_handler  [C21367] adding to cleanup list
[2023-03-28T15:52:54.146Z] "- - -" 0 - - rbac_access_denied_matched_policy[none] "-" 2595 823 3 - "-" "-" "-" "-" "10.42.0.25:3000" inbound|3000|| 127.0.0.6:49595 10.42.0.25:3000 10.42.0.12:47912 outbound_.8088_._.qcust-front-end-external.qcust.svc.cluster.local -

Gateway log:

2023-03-28T15:52:54.064831Z debug   envoy conn_handler  [C21367] new connection from 10.42.0.1:8485
2023-03-28T15:52:54.145465Z debug   envoy http2 [C21367] updating connection-level initial window size to 268435456
2023-03-28T15:52:54.145537Z debug   envoy http  [C21367] new stream
2023-03-28T15:52:54.145598Z debug   envoy http  [C21367][S171697015603862305] request headers complete (end_stream=true):
':method', 'GET'
':path', '/blah'
':scheme', 'https'
':authority', 'console.sbx'
'user-agent', 'curl/7.86.0'
'accept', '*/*'

2023-03-28T15:52:54.145604Z debug   envoy http  [C21367][S171697015603862305] request end stream
2023-03-28T15:52:54.145728Z debug   envoy router    [C21367][S171697015603862305] cluster 'outbound|8088||qcust-front-end-external.qcust.svc.cluster.local' match for URL '/blah'
2023-03-28T15:52:54.145821Z debug   envoy router    [C21367][S171697015603862305] router decoding headers:
':method', 'GET'
':path', '/blah'
':scheme', 'https'
':authority', 'console.sbx'
'user-agent', 'curl/7.86.0'
'accept', '*/*'
'x-forwarded-for', '10.42.0.1'
'x-forwarded-proto', 'https'
'x-envoy-internal', 'true'
'x-request-id', 'b07ccb4c-f323-4773-9575-fcb27d434180'
'x-envoy-decorator-operation', 'qcust-front-end-external.qcust.svc.cluster.local:8088/*'
'x-envoy-peer-metadata', 'ChQKDkFQUF9DT05UQUlORVJTEgIaAAoaCgpDTFVTVEVSX0lEEgwaCkt1YmVybmV0ZXMKGQoNSVNUSU9fVkVSU0lPThIIGgYxLjEzLjQKvwMKBkxBQkVMUxK0AyqxAwodCgNhcHASFhoUaXN0aW8taW5ncmVzc2dhdGV3YXkKEwoFY2hhcnQSChoIZ2F0ZXdheXMKFAoIaGVyaXRhZ2USCBoGVGlsbGVyCjYKKWluc3RhbGwub3BlcmF0b3IuaXN0aW8uaW8vb3duaW5nLXJlc291cmNlEgkaB3Vua25vd24KGQoFaXN0aW8SEBoOaW5ncmVzc2dhdGV3YXkKGQoMaXN0aW8uaW8vcmV2EgkaB2RlZmF1bHQKMAobb3BlcmF0b3IuaXN0aW8uaW8vY29tcG9uZW50EhEaD0luZ3Jlc3NHYXRld2F5cwohChFwb2QtdGVtcGxhdGUtaGFzaBIMGgo3NjU1OGJjZDY0ChIKB3JlbGVhc2USBxoFaXN0aW8KOQofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIWGhRpc3Rpby1pbmdyZXNzZ2F0ZXdheQovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKIgoXc2lkZWNhci5pc3Rpby5pby9pbmplY3QSBxoFZmFsc2UKGgoHTUVTSF9JRBIPGg1jbHVzdGVyLmxvY2FsCi8KBE5BTUUSJxolaXN0aW8taW5ncmVzc2dhdGV3YXktNzY1NThiY2Q2NC10dm45dwobCglOQU1FU1BBQ0USDhoMaXN0aW8tc3lzdGVtCl0KBU9XTkVSElQaUmt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9pc3Rpby1zeXN0ZW0vZGVwbG95bWVudHMvaXN0aW8taW5ncmVzc2dhdGV3YXkKFwoRUExBVEZPUk1fTUVUQURBVEESAioACicKDVdPUktMT0FEX05BTUUSFhoUaXN0aW8taW5ncmVzc2dhdGV3YXk='
'x-envoy-peer-metadata-id', 'router~10.42.0.12~istio-ingressgateway-76558bcd64-tvn9w.istio-system~istio-system.svc.cluster.local'
'x-envoy-attempt-count', '1'
'x-b3-traceid', 'e79402604a7e52801c4dd4142ecc1426'
'x-b3-spanid', '1c4dd4142ecc1426'
'x-b3-sampled', '0'

2023-03-28T15:52:54.147881Z debug   envoy router    [C21367][S171697015603862305] pool ready
2023-03-28T15:52:54.148938Z debug   envoy router    [C21367][S171697015603862305] upstream reset: reset reason: connection termination, transport failure reason:
2023-03-28T15:52:54.148998Z debug   envoy http  [C21367][S171697015603862305] Sending local reply with details upstream_reset_before_response_started{connection_termination}
2023-03-28T15:52:54.149040Z debug   envoy http  [C21367][S171697015603862305] encoding headers via codec (end_stream=false):
':status', '503'
'content-length', '95'
'content-type', 'text/plain'
'date', 'Tue, 28 Mar 2023 15:52:53 GMT'
'server', 'istio-envoy'

2023-03-28T15:52:54.149088Z debug   envoy http2 [C21367] stream closed: 0
2023-03-28T15:52:54.153976Z debug   envoy conn_handler  [C21367] adding to cleanup list
[2023-03-28T15:52:54.145Z] "GET /blah HTTP/2" 503 UC upstream_reset_before_response_started{connection_termination} - "-" 0 95 3 - "10.42.0.1" "curl/7.86.0" "b07ccb4c-f323-4773-9575-fcb27d434180" "console.sbx" "10.42.0.25:3000" outbound|8088||qcust-front-end-external.qcust.svc.cluster.local 10.42.0.12:47912 10.42.0.12:8443 10.42.0.1:8485 console.sbx default-match

Answer 1

Solved by adding a workload selector for the ingress gateway:

  selector:
    matchLabels:
      istio: ingressgateway