Am using serviceMesh v2. I just deployed test application with mtls policy as STRICT in ossm-secure-authc namespace. When I'm trying to access applcation from other namesace ossm-curl, getting "customer => Error: 403 - RBAC: access denied" message.
```
$ oc exec $(oc get pods -o name -n ossm-curl) -c sleep -n ossm-curl -- curl -s customer.ossm-secure-authc.svc.cluster.local:8080
customer => Error: 403 - RBAC: access denied
```
Also when I tried to access application through route, it fails.
```
$ curl ossm-secure-authc.apps.dev.ocp.example.com/secure-authc
customer => Error: 403 - RBAC: access denied
```
I have created authorization policy to access customer app in ossm-secure-authc namespace as below:
```
$ cat customer-policy.yaml
apiVersion: "security.istio.io/v1beta1"
kind: "AuthorizationPolicy"
metadata:
name: "get-customer"
spec:
selector:
matchLabels:
app: customer
rules:
- from:
- source:
principals: ["cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"]
to:
- operation:
methods: ["GET"]
ports: ["8080"]
```
```
$ cat curl-customer-policy.yaml
apiVersion: "security.istio.io/v1beta1"
kind: "AuthorizationPolicy"
metadata:
name: "curl-get-customer"
namespace: "ossm-secure-authc"
spec:
action: ALLOW
selector:
matchLabels:
app: customer
rules:
- from:
- source:
namespaces: ["ossm-curl"]
```
Does anyone know the configuration that I'm missing to make this work?
Hi there @cjan,
Let me summarize your issue:
My guess is that your service does not specify what kind of connection you're using.
What changed between OSSM 1.x and 2.x, among other things, is defaulting non-specified traffic to opaque TCP. Consequently, authorization policies that specify HTTP parameters will not work.
To solve the issue, edit the service (oc edit svc customer) and specify port name to HTTP:
apiVersion: v1
kind: Service
metadata:
name: customer
labels:
app: customer
spec:
ports:
- name: http
port: 8080
selector:
app: customer
That should make it work for you.
Last but not least, we now have DO328 for OSSM 2.x and I have reworked substantial parts of chapter 8 (security). Give it a whirl and feel free to let me know any feedback you might have on it!
Cheers,
M.
Hi there @cjan,
Let me summarize your issue:
My guess is that your service does not specify what kind of connection you're using.
What changed between OSSM 1.x and 2.x, among other things, is defaulting non-specified traffic to opaque TCP. Consequently, authorization policies that specify HTTP parameters will not work.
To solve the issue, edit the service (oc edit svc customer) and specify port name to HTTP:
apiVersion: v1
kind: Service
metadata:
name: customer
labels:
app: customer
spec:
ports:
- name: http
port: 8080
selector:
app: customer
That should make it work for you.
Last but not least, we now have DO328 for OSSM 2.x and I have reworked substantial parts of chapter 8 (security). Give it a whirl and feel free to let me know any feedback you might have on it!
Cheers,
M.
Red Hat
Learning Community
A collaborative learning environment, enabling open source skill development.