K
Q

istioctl AuthorizationPolicy allow/deny working opposite ways

2/14/2021
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: deny-transactions-authorizationpolicy
  namespace: default
spec:
  selector:
    matchLabels:
      app: transactions
  action: ALLOW
  rules:
  - from:
    - source:
        principals: ["cluster.local/ns/default/checking-account"]
    to:
    - operation:
       methods: ["GET"]
       paths: ["/*"]

it denies checking-account to access transaction workload.

If I change action to DENY. it allows checking-account to access transaction workload.

Can someone help me why allow is denying and deny is allowing?

-- srikant
authorization
istio
kubernetes

Similar Questions

ArgoCD drift detection
Replacing Existing Value with new Value in Script Kubernetes
How to configure custom LDAP in Grafana helm chart?
How to execute bash string manipulations in a kubernetes deployment yaml
delete improperly removed PersistentVolume in kubernetes

1 Answer

2/14/2021
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: deny-transactions-authorizationpolicy
  namespace: default
spec:
  selector:
    matchLabels:
      app: transactions
  action: DENY
  rules:
  - from:
    - source:
        principals: ["cluster.local/ns/default/checking-account"]
  - to:
    - operation:
       methods: ["GET"]
       paths: ["/*"]

I needed to put - in front of to:

That fixed the issue.

-- srikant
Source: StackOverflow