AuthorizationPolicy affecting resources created in a different namespace - Ambient Mode

[hilariocoelho]

Is this the right place to submit this?

• This is not a security vulnerability or a crashing bug
• This is not a question about how to use Istio

Bug Description

AuthorizationPolicy defined in a given namespace A is being applied to ztunnel policies pods on namespace B if the pod is matches the selector while using new Ambient mode.

Extracting ztunnel config using kubectl debug -it ztunnel-m8djs -n istio-system --image=curlimages/curl -- curl localhost:15000/config_dump I can see this:

    "/10.1.3.196": {
      "authorizationPolicies": [
        "namespace-A/pod-123-policies-deny-all",
        "namespace-A/pod-123-policies-exceptions"
      ],
      "canonicalName": "pod-123",
      "canonicalRevision": "v2",
      "clusterId": "Kubernetes",
      "locality": {
        "region": "northeurope",
        "subzone": "",
        "zone": "northeurope-1"
      },
      "name": "pod-123-75669954bd-45j75",
      "namespace": "namespace-B",
      "node": "aks-default-38469435-vmss00017i",
      "protocol": "HBONE",
      "serviceAccount": "default",
      "status": "Healthy",
      "trustDomain": "cluster.local",
      "uid": "Kubernetes//Pod/namespace-B/pod-123-75669954bd-45j75",
      "workloadIps": [
        "10.1.3.196"
      ],
      "workloadName": "pod-123",
      "workloadType": "deployment"
    },

This behavior didn't occur while using Istio Sidecar, not defined (at least I didn't see it anywhere) and the exact opposite of what I saw in the documentation here

The selector decides where to apply the authorization policy. The selector will match with workloads in the same namespace as the authorization policy. If the authorization policy is in the root namespace, the selector will additionally match with workloads in all namespaces.

I'm not using hierarchical namespaces also.

If this behavior won't be changed, it would be nice to update the documentation. This was a "breaking change" in our scenario.

Also, how can I create an AuthorizationPolicy that only applies to pods in "namespace-A", even if the selector matches pods in "namespace-B" without creating a label on the pod itself with the namespace? Maybe the AuthorizationPolicy should also support to define the namespace on the WorkloadSelector?

Version

$ istioctl version
client version: 1.22.1
control plane version: 1.22.1
data plane version: 1.21.1 (126 proxies), 1.22.1 (44 proxies)
$ kubectl version
Client Version: v1.29.0
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.29.2

Additional Information

No response

[hilariocoelho]

Forgot to add label area/ambient

[keithmattix]

I don't think this is intended; smells like a bug @howardjohn @ilrudie @bleggett

[howardjohn]

👀

[howardjohn]

Thanks for the report @hilariocoelho. This is not intended and should be fixed in 1.22.2 (assuming #51557 merges)

[hilariocoelho]

Wow! This was incredibly fast! Thanks a lot 😀

Hope it makes it into 1.22.2, looking forward to start using ambient mode 😄

[keithmattix]

Thank you for reporting!