Uploaded image for project: 'OpenShift Service Mesh'
  1. OpenShift Service Mesh
  2. OSSM-3896

[RFE] AuthorizationPolicies created in the namespace where the SMCP is deployed should not prevent the Mesh components to work

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done
    • Icon: Major Major
    • None
    • OSSM 2.3.2
    • Maistra
    • None
    • False
    • Hide

      None

      Show
      None
    • False

      When creating a "DenyAll" AuthorizationPolicy in the namespace where the SMCP is deployed, federation stops working. 

       

      How to reproduce the issue:

      • Configure Service Mesh federation as per the documentation.
      • Create an AuthorizationPolicy like this: 
        apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: allow-nothing
 namespace: red-mesh-system 
  {}
      • Then the federation starts having issues, and it stops working 
        # oc logs -f -n red-mesh-system -l app=istiod 
 [...]
2023-05-04T07:29:30.081642Z     info    federation      starting watch  component=federation-registry
2023-05-04T07:29:30.095114Z     error   federation      watch failed: status code is not OK: 403 (403 Forbidden)        component=federation-registry
2023-05-04T07:30:24.353678Z     info    federation      starting watch  component=federation-registry
2023-05-04T07:30:24.366988Z     error   federation      watch failed: status code is not OK: 403 (403 Forbidden)        component=federation-registry

# oc logs -f -n red-mesh-system ingress-blue-mesh-6ddf9498ff-kkc9j
 [...]
[2023-05-04T07:27:10.146Z] "GET /v1/services/ HTTP/1.1" 403 - rbac_access_denied_matched_policy[none] - "-" 0 19 0 - "10.128.2.56,10.128.0.1" "Go-http-client/1.1" "365860a8-bf8a-4379-8c22-ca7eea9591ec" "discovery.blue-mesh-system.svc.red-mesh.local" "-" outbound|8188||istiod-red-mesh.red-mesh-system.svc.cluster.local - 10.128.2.52:8188 10.128.0.1:5051 discovery.blue-mesh-system.svc.red-mesh.local -


# oc logs -f -n red-mesh-system egress-blue-mesh-97c4fc954-mbxgc
[...]
[2023-05-04T07:28:47.227Z] "GET /v1/watch HTTP/1.1" 403 - rbac_access_denied_matched_policy[none] - "-" 0 19 0 - "10.128.2.51" "Go-http-client/1.1" "51650ab6-40ed-4ec8-905b-ac548c013481" "egress-blue-mesh.red-mesh-system.svc.cluster.local:8188" "-" outbound|8188|federation-discovery-blue-mesh-egress|discovery.red-mesh-system.svc.blue-mesh.local - 10.131.0.55:8188 10.128.2.51:53190 - -

         

      Expected results:

       

      The AuthorizationPolicies created in the namespace where the SMCP is deployed should be applied to the application workloads only, not to the Service Mesh components

       

              Unassigned Unassigned
              rhn-support-asolanas Alexis Solanas
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: