I created an istio mesh setup as per this guide.
Now my goal is to only allow access to product page service from the same namespace default, not from another namespace.
so I created the below AuthorizationPolicy. If I apply only the first policy, it denies all requests very well from any namespace. But if you see the second policy, I only allowed the default namespace, still, it allowed access to product page service from another namespace.
Can you help me to find my configuration mistake?
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: productpage
namespace: default
spec:
selector:
matchLabels:
app: productpage
version: v1
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: productpage-all
namespace: default
spec:
selector:
matchLabels:
app: productpage
version: v1
action: ALLOW
rules:
- to:
- operation:
ports: ["9080"]
- from:
- source:
namespaces: ["default"]Instead of creating ALLOW policy, you should explicitly DENY any traffic from namespaces other than default.
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: productpage-all
namespace: default
spec:
selector:
matchLabels:
app: productpage
version: v1
action: DENY
rules:
- to:
- operation:
ports: ["9080"]
- from:
- source:
notNamespaces: ["default"]DENY policy takes precedence over ALLOW policy.
Create PeerAuthentication with STRICT mTLS mode:
Optionally you could isolate default namespace with mTLS enabled
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: test
namespace: default
spec:
mtls:
mode: STRICTCreate ALLOW policy inside default namespace:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: namespace-isolation
namespace: default
spec:
action: ALLOW
rules:
- from:
- source:
namespaces: ["default"]