There are ServiceA and ServiceB services deployed under the same namespace. There is istio enabled for validating request authentication. Any calls to the service needs to have 'Authrization' header with valid jwt token. It get validated with RequestAuthenication along with AuthorizationPolicy set. It is working as expected and I can make http calls with valid auth token. Now the ServiceA needs to talk to ServiceB. I used the service-name serviceb..<namespace-name>.svc.cluster.local. The call is passed to ServiceB but fails with HTTP 403. It is expecting the auth token header.
How can I allow the calls between the services within the same namespace without auth token?
I am trying to find an example to customize the AuthorizationPolicy, so that it allows the calls with in the same namespace as trusted service without auth token. Please let me know, whether it is possible or if there an alternate way.
All my pods running under services are spring-boot and using RestTemplate for calling between services.
Below is the istio auth policy used
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: service-auth-policy
namespace: namespace-dev
spec:
rules:
- from:
- source:
requestPrincipals: ["*"]
I changed the original authorization policy from
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: service-auth-policy
namespace: namespace-dev
spec:
rules:
- from:
- source:
requestPrincipals: ["*"]
including the namespace as below
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: catalog-auth-policy
namespace: namespace-dev
spec:
rules:
- from:
- source:
requestPrincipals: ["*"]
- source:
namespaces: ["namespace-dev"]
and it worked as expected.