cancel
Showing results for 
Search instead for 
Did you mean: 
cjan
Mission Specialist
Mission Specialist
  • 3,082 Views

ServiceMesh Authorization Policy not working.

Jump to solution

Am using serviceMesh v2. I just deployed test application with mtls policy as STRICT in ossm-secure-authc namespace. When I'm trying to access applcation from other namesace ossm-curl, getting "customer => Error: 403 - RBAC: access denied" message. 

```

$ oc exec $(oc get pods -o name -n ossm-curl) -c sleep -n ossm-curl -- curl -s customer.ossm-secure-authc.svc.cluster.local:8080
customer => Error: 403 - RBAC: access denied

```

Also when I tried to access application through route, it fails.

```

$ curl ossm-secure-authc.apps.dev.ocp.example.com/secure-authc
customer => Error: 403 - RBAC: access denied

```

I have created authorization policy to access customer app in ossm-secure-authc namespace as below:

```

$ cat customer-policy.yaml

apiVersion: "security.istio.io/v1beta1"
kind: "AuthorizationPolicy"
metadata:
name: "get-customer"
spec:
selector:
matchLabels:
app: customer
rules:
- from:
- source:
principals: ["cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"]
to:
- operation:
methods: ["GET"]
ports: ["8080"]

```

```

$ cat curl-customer-policy.yaml
apiVersion: "security.istio.io/v1beta1"
kind: "AuthorizationPolicy"
metadata:
name: "curl-get-customer"
namespace: "ossm-secure-authc"
spec:
action: ALLOW
selector:
matchLabels:
app: customer
rules:
- from:
- source:
namespaces: ["ossm-curl"]

```

Does anyone know the configuration that I'm missing to make this work?

 

Labels (1)
1 Solution

Accepted Solutions
Marek_Czernek
Flight Engineer Flight Engineer
Flight Engineer
  • 2,926 Views

Hi there @cjan,

Let me summarize your issue:

  1. You're using OSSM 2.0 (based on Istio 1.6)
  2. You're using what seems to be the content of our DO328 training (written for OSSM 1.x)
  3. The authorization policy that worked on OSSM 1.x now throws RBAC denied

My guess is that your service does not specify what kind of connection you're using.

What changed between OSSM 1.x and 2.x, among other things, is defaulting non-specified traffic to opaque TCP. Consequently, authorization policies that specify HTTP parameters will not work.

To solve the issue, edit the service (oc edit svc customer) and specify port name to HTTP:

apiVersion: v1
kind: Service
metadata:
  name: customer
  labels:
    app: customer
spec:
  ports:
  - name: http
    port: 8080
  selector:
    app: customer

That should make it work for you.

Last but not least, we now have DO328 for OSSM 2.x and I have reworked substantial parts of chapter 8 (security). Give it a whirl and feel free to let me know any feedback you might have on it!

 

Cheers,

M.

View solution in original post

1 Reply
Marek_Czernek
Flight Engineer Flight Engineer
Flight Engineer
  • 2,927 Views

Hi there @cjan,

Let me summarize your issue:

  1. You're using OSSM 2.0 (based on Istio 1.6)
  2. You're using what seems to be the content of our DO328 training (written for OSSM 1.x)
  3. The authorization policy that worked on OSSM 1.x now throws RBAC denied

My guess is that your service does not specify what kind of connection you're using.

What changed between OSSM 1.x and 2.x, among other things, is defaulting non-specified traffic to opaque TCP. Consequently, authorization policies that specify HTTP parameters will not work.

To solve the issue, edit the service (oc edit svc customer) and specify port name to HTTP:

apiVersion: v1
kind: Service
metadata:
  name: customer
  labels:
    app: customer
spec:
  ports:
  - name: http
    port: 8080
  selector:
    app: customer

That should make it work for you.

Last but not least, we now have DO328 for OSSM 2.x and I have reworked substantial parts of chapter 8 (security). Give it a whirl and feel free to let me know any feedback you might have on it!

 

Cheers,

M.

Join the discussion
You must log in to join this conversation.