Skip to content

feature: Allow traffic to everything in a namespace with a cross-namespace waypoint #57351

New issue
New issue
Open
Open
feature: Allow traffic to everything in a namespace with a cross-namespace waypoint#57351
Labels
kind/enhancement
@orfeas-k

Description

@orfeas-k
orfeas-k
opened on Aug 14, 2025

Provided the discussion that took place in the Istio community meeting in 13th of August 2025, I 'm filing this feature request. cc @ca-scribner

Context

In sidecar, it’s possible to create an AuthorizationPolicy that applies to everything in namespace X. This is achieved by creating an AuthorizationPolicy in namespace X with an empty selector.

In ambient, there is no equivalent with a Waypoint that is used for multiple namespaces:

  • A waypoint can capture traffic across multiple namespaces, but there’s no AuthorizationPolicy that can say “allow all communication to namespace X through this waypoint” or “allow all communication from A to namespace X through this waypoint” (see conversation in slack)
  • One can deploy a waypoint per namespace to achieve the same control, but that has the cost of additional waypoints. In a cluster where hundreds of namespaces exist but stay idle (there is no active traffic most of the time), this adds a lot of overhead (e.g. memory consumption) that could be avoided with the usage of a single cross-namespace waypoint.

Feature description

Provide a way to allow traffic to (all services in) a specific namespace through a cross-namespace waypoint. This could be done for example by attaching the AuthorizationPolicy to all services in the namespace with a targetRef like this:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: secure-whole-namespace
  namespace: my-namespace
spec:
  ...
  targetRefs:
  - name: *
    kind: Service
    group: ""

or introducing a to.namespaces attribute for rules

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: secure-whole-namespace
  namespace: my-namespace
spec:
  action: ALLOW
  rules:
  - when:
    - key: request.headers[email]
      values:
      - my-user@example.com
    to:
    - namespaces:
      - my-namespace
  targetRefs:
  - name: waypoint
    namespace: istio-system
    kind: Gateway
    group: gateway.networking.k8s.io

Considerations

As mentioned above, the motivation behind it is to achieve zero overhead namespaces, for clusters with hundreds of idle namespaces without any traffic most of the time. Another approach to solve such problem would be to enable autoscaling to zero the waypoints in such cases to achieve zero overhead.

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/enhancement

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions