[HTTP Traffic Task] cannot access productpage with AuthorizationPolicy applied #16673
Description
What happened?
When I tried HTTP Traffic Task, I couldn't access the productpage from browser even though I applied the allow-nothing and productpage-viewer AuthorizationPolicy as described in the document.
After direction of applying productpage-viewer, the document says:
Point your browser at the Bookinfo productpage (http://$GATEWAY_URL/productpage). Now you should see the “Bookinfo Sample” page.
I think we should apply an additional AuthorizationPolicy to bookinfo-gateway.
What did you expect to happen?
I can access the productpage.
How can we reproduce it (as minimally and precisely as possible)?
- Create Cluster with kind.
- Install cloud-provider-kind to enable LoadBalancer Service support.
- Install Istio. I've used helm chart.(Install with Helm)
- Install Gateway API CRDs.(Kubernetes Gateway API)
- Install Bookinfo app.(Bookinfo Application)
Now, we have deployed Bookinfo microservices Pods and Services.
In addition, we have a Gateway Pod and Service, and we can access Bookinfo app via the Gateway Service.
$ k get po,svc,gtw,httproute
NAME READY STATUS RESTARTS AGE
pod/bookinfo-gateway-istio-54668864f9-stgpj 1/1 Running 0 4d1h
pod/details-v1-766844796b-zzxwg 2/2 Running 0 4d1h
pod/productpage-v1-54bb874995-bz8lb 2/2 Running 0 4d1h
pod/ratings-v1-5dc79b6bcd-6vn9x 2/2 Running 0 4d1h
pod/reviews-v1-598b896c9d-cw5l6 2/2 Running 0 4d1h
pod/reviews-v2-556d6457d-vxdnj 2/2 Running 0 4d1h
pod/reviews-v3-564544b4d6-fhp6z 2/2 Running 0 4d1h
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/bookinfo-gateway-istio LoadBalancer 10.96.158.132 172.18.0.7 15021:32147/TCP,80:31007/TCP 4d1h
service/details ClusterIP 10.96.51.175 <none> 9080/TCP 4d1h
service/details-v1 ClusterIP 10.96.238.115 <none> 9080/TCP 4d1h
service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 4d1h
service/productpage ClusterIP 10.96.48.60 <none> 9080/TCP 4d1h
service/productpage-v1 ClusterIP 10.96.44.203 <none> 9080/TCP 4d1h
service/ratings ClusterIP 10.96.98.208 <none> 9080/TCP 4d1h
service/ratings-v1 ClusterIP 10.96.226.181 <none> 9080/TCP 4d1h
service/reviews ClusterIP 10.96.218.65 <none> 9080/TCP 4d1h
service/reviews-v1 ClusterIP 10.96.85.85 <none> 9080/TCP 4d1h
service/reviews-v2 ClusterIP 10.96.16.61 <none> 9080/TCP 4d1h
service/reviews-v3 ClusterIP 10.96.11.217 <none> 9080/TCP 4d1h
NAME CLASS ADDRESS PROGRAMMED AGE
gateway.gateway.networking.k8s.io/bookinfo-gateway istio 172.18.0.7 True 4d1h
NAME HOSTNAMES AGE
httproute.gateway.networking.k8s.io/bookinfo 4d1h- Along with HTTP Traffic Task, I've applied allow-nothing and productpage-viewer AuthorizationPolicy. Then, the document says:
Point your browser at the Bookinfo productpage (http://$GATEWAY_URL/productpage). Now you should see the “Bookinfo Sample” page.
However, I cannot access the productpage. The browser shows RBAC: access denied(403 Forbidden).
I've tried to applied additional AuthorizationPolicy as follow, and it works.
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: "bookinfo-gateway"
namespace: default
spec:
selector:
matchLabels:
gateway.networking.k8s.io/gateway-name: bookinfo-gateway
action: ALLOW
rules:
- to:
- operation:
methods: ["GET"]Anything else we need to know?
No response
Kubernetes version
$ kubectl version
Client Version: v1.32.0
Kustomize Version: v5.5.0
Server Version: v1.33.1Istio version
$ istioctl version
client version: 1.26.2
control plane version: 1.26.2
data plane version: 1.26.2 (7 proxies)