Authorization Too Permissive

If authorization checks are enabled for a service and yet requests to the service aren’t being blocked, then authorization was likely not enabled successfully. To verify, follow these steps:

  1. Check the enable authorization docs to correctly enable Istio authorization.

  2. Avoid enabling authorization for Istio Control Planes Components, including Mixer, Pilot and Ingress. The Istio authorization features are designed for authorizing access to services in an Istio Mesh. Enabling the authorization features for the Istio Control Planes components can cause unexpected behavior.

  3. In your Kubernetes environment, check deployments in all namespaces to make sure there is no legacy deployment left that can cause an error in Pilot. You can disable Pilot’s authorization plug-in if there is an error pushing authorization policy to Envoy.

  4. Follow the Debugging Authorization docs to find out the exact cause.