Is it possible to configure Istio AuthorizationPolicy in such way that only POD's having given label will be able to access it? E.g. I would like to have a service called example-service and expect only POD having example-service-access k8s label to be able to connect to it.
I am aware that similar configuration could be possible by k8s NetworkPolicy configuration, but our network plugin does not support it.
Is it possible to configure Istio AuthorizationPolicy in such way that only POD's having given label will be able to access it? E.g. I would like to have a service called example-service and expect only POD having example-service-access k8s label to be able to connect to it.
I am aware that similar configuration could be possible by k8s NetworkPolicy configuration, but our network plugin does not support it.
Share Improve this question asked Mar 31 at 11:54 user651297user651297 292 bronze badges 2- Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. – Community Bot Commented Apr 2 at 0:00
- Did you have time to check my answer? It helped you to solve your issue? If not, I am happy to assist further.What should I do when someone answers my question? – Sai Chandra Gadde Commented Apr 2 at 10:09
1 Answer
Reset to default -1You can use Authorization Policy which can allow only pods with specific labels to access your service.
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
version: v1
The above example will only apply to workloads matched with label selector “app: httpbin, version: v1” and others will be rejected.