Authorization Too Restrictive
When you first enable authorization for a service, all requests are denied by default. After you add one or more authorization policies, then matching requests should flow through. If all requests continue to be denied, you can try the following:
Make sure there is no typo in your policy YAML file.
Avoid enabling authorization for Istio Control Planes Components, including Mixer, Pilot, Ingress. Istio authorization policy is designed for authorizing access to services in Istio Mesh. Enabling it for Istio Control Planes Components may cause unexpected behavior.
Make sure that your
ServiceRoleBinding
and referredServiceRole
objects are in the same namespace (by checking “metadata”/”namespace” line).Make sure that your service role and service role binding policies don’t use any HTTP only fields for TCP services. Otherwise, Istio ignores the policies as if they didn’t exist.
In Kubernetes environment, make sure all services in a
ServiceRole
object are in the same namespace as theServiceRole
itself. For example, if a service in aServiceRole
object isa.default.svc.cluster.local
, theServiceRole
must be in thedefault
namespace (metadata/namespace
line should bedefault
). For non-Kubernetes environments, allServiceRoles
andServiceRoleBindings
for a mesh should be in the same namespace.Follow the Debugging Authorization docs to find out the exact cause.