istioctl AuthorizationPolicy allow/deny working opposite ways

2/14/2021
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: deny-transactions-authorizationpolicy
  namespace: default
spec:
  selector:
    matchLabels:
      app: transactions
  action: ALLOW
  rules:
  - from:
    - source:
        principals: ["cluster.local/ns/default/checking-account"]
    to:
    - operation:
       methods: ["GET"]
       paths: ["/*"]

it denies checking-account to access transaction workload.

If I change action to DENY. it allows checking-account to access transaction workload.

Can someone help me why allow is denying and deny is allowing?

-- srikant
authorization
istio
kubernetes

1 Answer

2/14/2021
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: deny-transactions-authorizationpolicy
  namespace: default
spec:
  selector:
    matchLabels:
      app: transactions
  action: DENY
  rules:
  - from:
    - source:
        principals: ["cluster.local/ns/default/checking-account"]
  - to:
    - operation:
       methods: ["GET"]
       paths: ["/*"]

I needed to put - in front of to:

That fixed the issue.

-- srikant
Source: StackOverflow