Uploaded image for project: 'OpenShift Service Mesh'
  1. OpenShift Service Mesh
  2. OSSM-3896

[RFE] AuthorizationPolicies created in the namespace where the SMCP is deployed should not prevent the Mesh components to work

    XMLWordPrintable

Details

    • Story
    • Resolution: Unresolved
    • Major
    • None
    • OSSM 2.3.2
    • Customer Impact, Maistra
    • None
    • False
    • None
    • False

    Description

      When creating a "DenyAll" AuthorizationPolicy in the namespace where the SMCP is deployed, federation stops working. 

       

      How to reproduce the issue:

      • Configure Service Mesh federation as per the documentation.
      • Create an AuthorizationPolicy like this: 
        apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: allow-nothing
 namespace: red-mesh-system 
  {}
      • Then the federation starts having issues, and it stops working 
        # oc logs -f -n red-mesh-system -l app=istiod 
 [...]
2023-05-04T07:29:30.081642Z     info    federation      starting watch  component=federation-registry
2023-05-04T07:29:30.095114Z     error   federation      watch failed: status code is not OK: 403 (403 Forbidden)        component=federation-registry
2023-05-04T07:30:24.353678Z     info    federation      starting watch  component=federation-registry
2023-05-04T07:30:24.366988Z     error   federation      watch failed: status code is not OK: 403 (403 Forbidden)        component=federation-registry

# oc logs -f -n red-mesh-system ingress-blue-mesh-6ddf9498ff-kkc9j
 [...]
[2023-05-04T07:27:10.146Z] "GET /v1/services/ HTTP/1.1" 403 - rbac_access_denied_matched_policy[none] - "-" 0 19 0 - "10.128.2.56,10.128.0.1" "Go-http-client/1.1" "365860a8-bf8a-4379-8c22-ca7eea9591ec" "discovery.blue-mesh-system.svc.red-mesh.local" "-" outbound|8188||istiod-red-mesh.red-mesh-system.svc.cluster.local - 10.128.2.52:8188 10.128.0.1:5051 discovery.blue-mesh-system.svc.red-mesh.local -


# oc logs -f -n red-mesh-system egress-blue-mesh-97c4fc954-mbxgc
[...]
[2023-05-04T07:28:47.227Z] "GET /v1/watch HTTP/1.1" 403 - rbac_access_denied_matched_policy[none] - "-" 0 19 0 - "10.128.2.51" "Go-http-client/1.1" "51650ab6-40ed-4ec8-905b-ac548c013481" "egress-blue-mesh.red-mesh-system.svc.cluster.local:8188" "-" outbound|8188|federation-discovery-blue-mesh-egress|discovery.red-mesh-system.svc.blue-mesh.local - 10.131.0.55:8188 10.128.2.51:53190 - -

         

      Expected results:

       

      The AuthorizationPolicies created in the namespace where the SMCP is deployed should be applied to the application workloads only, not to the Service Mesh components

       

      Attachments

        Activity

          People

            Unassigned Unassigned
            rhn-support-asolanas Alexis Solanas
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated: