Uploaded image for project: 'OpenShift Service Mesh'
  1. OpenShift Service Mesh
  2. OSSM-11362

Docs: Waypoint authorization not enforced

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • OSSM 3.2.0
    • Documentation
    • None
    • False
    • Hide

      None

      Show
      None
    • False

      When running part 4 of the verification in https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.2/html/installing/ossm-istio-ambient-mode#ossm-adding-authorization-policy_ossm-istio-ambient-mode, the returned code is 405 instead of the expected 403. This means that the endpoint is rejected by the application and not by the authorization policy of the waypoint.

       

      The curl pod is created in the default namespace which is not part of the mesh. The waypoint is bypassed. By adding the default namespace in the mesh with

       

      kubectl label namespace default istio.io/dataplane-mode=ambient

      The authorization is enforced and the verification returns the expected 403 code.

          1.
          		 [DOC] Peer Review Sub-task Closed Undefined Unassigned
          2.
          		 [DOC] Merge Review Sub-task Closed Undefined Unassigned
          3.
          		 [DOCS] Waypoint authorization not enforced Sub-task Closed Undefined Shreya Siddhartha

              sgaddam@redhat.com Gaddam Sridhar
              rh-ee-marguerr Marcelo Guerrero Viveros
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: