Details
-
Story
-
Resolution: Unresolved
-
Major
-
None
-
OSSM 2.3.2
-
None
-
False
-
None
-
False
Description
When creating a "DenyAll" AuthorizationPolicy in the namespace where the SMCP is deployed, federation stops working.
How to reproduce the issue:
- Configure Service Mesh federation as per the documentation.
- Create an AuthorizationPolicy like this:
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: allow-nothing namespace: red-mesh-system {}
- Then the federation starts having issues, and it stops working
# oc logs -f -n red-mesh-system -l app=istiod [...] 2023-05-04T07:29:30.081642Z info federation starting watch component=federation-registry 2023-05-04T07:29:30.095114Z error federation watch failed: status code is not OK: 403 (403 Forbidden) component=federation-registry 2023-05-04T07:30:24.353678Z info federation starting watch component=federation-registry 2023-05-04T07:30:24.366988Z error federation watch failed: status code is not OK: 403 (403 Forbidden) component=federation-registry # oc logs -f -n red-mesh-system ingress-blue-mesh-6ddf9498ff-kkc9j [...] [2023-05-04T07:27:10.146Z] "GET /v1/services/ HTTP/1.1" 403 - rbac_access_denied_matched_policy[none] - "-" 0 19 0 - "10.128.2.56,10.128.0.1" "Go-http-client/1.1" "365860a8-bf8a-4379-8c22-ca7eea9591ec" "discovery.blue-mesh-system.svc.red-mesh.local" "-" outbound|8188||istiod-red-mesh.red-mesh-system.svc.cluster.local - 10.128.2.52:8188 10.128.0.1:5051 discovery.blue-mesh-system.svc.red-mesh.local - # oc logs -f -n red-mesh-system egress-blue-mesh-97c4fc954-mbxgc [...] [2023-05-04T07:28:47.227Z] "GET /v1/watch HTTP/1.1" 403 - rbac_access_denied_matched_policy[none] - "-" 0 19 0 - "10.128.2.51" "Go-http-client/1.1" "51650ab6-40ed-4ec8-905b-ac548c013481" "egress-blue-mesh.red-mesh-system.svc.cluster.local:8188" "-" outbound|8188|federation-discovery-blue-mesh-egress|discovery.red-mesh-system.svc.blue-mesh.local - 10.131.0.55:8188 10.128.2.51:53190 - -
Expected results:
The AuthorizationPolicies created in the namespace where the SMCP is deployed should be applied to the application workloads only, not to the Service Mesh components