I am very new to Istio Authorization policies, I need some help with setting up authorization policies :
Here is the scenario:
I have a namespace called namespace1 which has 4 Microservices running in them. For the context, let's call them A,B,C,D. And all 4 microservices have istio-sidecar injection enabled.
have a namespace called namespace2 which has 2 Microservices running in them. For the context, let's call them E,F. And both microservices have istio-sidecar injection enabled.
Now I have deployed Memcached service by following Memcached using mcrouter to namespace memcached. And all the pods of Memcached are also having istio-sidecar injection enabled.
Now I have a scenario where I have to allow only calls from B and C microservices in namespace1 to be made to memcached services and deny calls from A and D in namespace1 along with calls coming from any other namespaces. Is it possible to achieve this using istio authorization policies?
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: authorization-policy-deny-all
namespace: memcached
spec:
selector:
matchLabels:
app: activator
action: DENY
rules:
- from:
- source:
notNamespaces: ["namespace1"]
This is the best I could come up with, where I am allowing only calls from namepsace1 and denying calls from all other namespaces. I could not figure out how I can deny calls from A and D Microservices in namespace1.
Here's one setup that might work.
---
spec:
selector:
matchLabels:
app: activator
action: ALLOW
rules:
- from:
- source:
principals:
- cluster.local/ns/namespace1/sa/memcached--user
I hope this could solve your issue.