Do we need to have Istio sidecar proxy containers running alongside the application pod for Istio Authorization Policy to work as expected?
Do we have any Istio docs around this?
I tried running my application without sidecars and the authorisation policy is not getting applied.
As per the architecture provided in the official Istio documentation. Istio proxy acts as a gateway between your incoming and outgoing traffic of your application container and is responsible for traffic management, security and for enforcing various policies whether they are custom made or from existing templates.
Authentication is one such policy and sidecar proxy helps you in applying these policies, you can specify various methods or policies for authenticating to your workloads and these policies will be stored in the Istio configuration storage once deployed. Whenever a policy got changed or a new pod got generated matching the policy requirements this proxy container will apply the policy to the single workload or multiple workloads based on the policy specifications as shown in the figure below.
Note: This image is taken form the official Istio documentation which is embedded in the content above.
