istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/content/help/ops/security/authorization-restrictive/index.md

1.8 KiB
Raw Blame History

title description weight
Authorization Too Restrictive Authorization is enabled and no requests make it through to the service. 60

When you first enable authorization for a service, all requests are denied by default. After you add one or more authorization policies, then matching requests should flow through. If all requests continue to be denied, you can try the following:

  1. Make sure there is no typo in your policy yaml file.

  2. Avoid enabling authorization for Istio Control Planes Components, including Mixer, Pilot, Ingress. Istio authorization policy is designed for authorizing access to services in Istio Mesh. Enabling it for Istio Control Planes Components may cause unexpected behavior.

  3. Make sure that your ServiceRoleBinding and referred ServiceRole objects are in the same namespace (by checking "metadata"/”namespace” line).

  4. In Kubernetes environment, make sure all services in a ServiceRole object are in the same namespace as the ServiceRole itself. For example, if a service in a ServiceRole object is a.default.svc.cluster.local, the ServiceRole must be in the default namespace (metadata/namespace line should be default). For non-Kubernetes environments, all ServiceRoles and ServiceRoleBindings for a mesh should be in the same namespace.

  5. Check Pilot and proxy log (or collect Pilot and proxy log and file a GitHub issue) to find out the exact cause. You could collect the LDS configuration generated by Pilot by running [dump_kubernetes.sh]({{< github_file >}}/tools/dump_kubernetes.sh).

  6. For Mixer based authorization, it is often the case that Istio Proxy to Mixer connection is down, Mixer attribute manifest is not setup correctly. Check Mixer Log (or collect Mixer log and file a GitHub issue) to find out the exact cause.