You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is not a security vulnerability or a crashing bug
This is not a question about how to use Istio
Bug Description
AuthorizationPolicy defined in a given namespace A is being applied to ztunnel policies pods on namespace B if the pod is matches the selector while using new Ambient mode.
Extracting ztunnel config using kubectl debug -it ztunnel-m8djs -n istio-system --image=curlimages/curl -- curl localhost:15000/config_dump I can see this:
This behavior didn't occur while using Istio Sidecar, not defined (at least I didn't see it anywhere) and the exact opposite of what I saw in the documentation here
The selector decides where to apply the authorization policy. The selector will match with workloads in the same namespace as the authorization policy. If the authorization policy is in the root namespace, the selector will additionally match with workloads in all namespaces.
I'm not using hierarchical namespaces also.
If this behavior won't be changed, it would be nice to update the documentation. This was a "breaking change" in our scenario.
Also, how can I create an AuthorizationPolicy that only applies to pods in "namespace-A", even if the selector matches pods in "namespace-B" without creating a label on the pod itself with the namespace? Maybe the AuthorizationPolicy should also support to define the namespace on the WorkloadSelector?
Version
$ istioctl version
client version: 1.22.1
control plane version: 1.22.1
data plane version: 1.21.1 (126 proxies), 1.22.1 (44 proxies)
$ kubectl version
Client Version: v1.29.0
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.29.2
Additional Information
No response
The text was updated successfully, but these errors were encountered:
Is this the right place to submit this?
Bug Description
AuthorizationPolicy
defined in a given namespace A is being applied to ztunnel policies pods on namespace B if the pod is matches theselector
while using new Ambient mode.Extracting ztunnel config using
kubectl debug -it ztunnel-m8djs -n istio-system --image=curlimages/curl -- curl localhost:15000/config_dump
I can see this:This behavior didn't occur while using Istio Sidecar, not defined (at least I didn't see it anywhere) and the exact opposite of what I saw in the documentation here
I'm not using hierarchical namespaces also.
If this behavior won't be changed, it would be nice to update the documentation. This was a "breaking change" in our scenario.
Also, how can I create an AuthorizationPolicy that only applies to pods in "namespace-A", even if the
selector
matches pods in "namespace-B" without creating a label on the pod itself with the namespace? Maybe the AuthorizationPolicy should also support to define the namespace on the WorkloadSelector?Version
Additional Information
No response
The text was updated successfully, but these errors were encountered: