cjan
Mission Specialist
Mission Specialist
  • 124 Views

ServiceMesh Authorization Policy not working.

Am using serviceMesh v2. I just deployed test application with mtls policy as STRICT in ossm-secure-authc namespace. When I'm trying to access applcation from other namesace ossm-curl, getting "customer => Error: 403 - RBAC: access denied" message. 

```

$ oc exec $(oc get pods -o name -n ossm-curl) -c sleep -n ossm-curl -- curl -s customer.ossm-secure-authc.svc.cluster.local:8080
customer => Error: 403 - RBAC: access denied

```

Also when I tried to access application through route, it fails.

```

$ curl ossm-secure-authc.apps.dev.ocp.example.com/secure-authc
customer => Error: 403 - RBAC: access denied

```

I have created authorization policy to access customer app in ossm-secure-authc namespace as below:

```

$ cat customer-policy.yaml

apiVersion: "security.istio.io/v1beta1"
kind: "AuthorizationPolicy"
metadata:
name: "get-customer"
spec:
selector:
matchLabels:
app: customer
rules:
- from:
- source:
principals: ["cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"]
to:
- operation:
methods: ["GET"]
ports: ["8080"]

```

```

$ cat curl-customer-policy.yaml
apiVersion: "security.istio.io/v1beta1"
kind: "AuthorizationPolicy"
metadata:
name: "curl-get-customer"
namespace: "ossm-secure-authc"
spec:
action: ALLOW
selector:
matchLabels:
app: customer
rules:
- from:
- source:
namespaces: ["ossm-curl"]

```

Does anyone know the configuration that I'm missing to make this work?

 

Join the discussion
You must log in to join this conversation.