Authorization Too Restrictive
When you first enable authorization for a service, all requests are denied by default. After you add one or more authorization policies, then matching requests should flow through. If all requests continue to be denied, you can try the following:
Make sure there is no typo in your policy YAML file.
Avoid enabling authorization for Istio Control Planes Components, including Mixer, Pilot, Ingress. Istio authorization policy is designed for authorizing access to services in Istio Mesh. Enabling it for Istio Control Planes Components may cause unexpected behavior.
Make sure that your
ServiceRoleobjects are in the same namespace (by checking “metadata”/”namespace” line).
Make sure that your service role and service role binding policies don’t use any HTTP only fields for TCP services. Otherwise, Istio ignores the policies as if they didn’t exist.
In Kubernetes environment, make sure all services in a
ServiceRoleobject are in the same namespace as the
ServiceRoleitself. For example, if a service in a
ServiceRolemust be in the
metadata/namespaceline should be
default). For non-Kubernetes environments, all
ServiceRoleBindingsfor a mesh should be in the same namespace.
Follow the Debugging Authorization docs to find out the exact cause.