First thing: everything seems to works correctly and security policy does his job (according to unit-test)... but Kiala things I have some problems.
All my services (ServiceAccount/Service/Deployment) are on namespace 'app'.
My gateway is deployed on namespace 'app'.
My policy ares installed on namespace 'istio-system' to deal with JWT correctly...
Kiali error is on > hosts: ["authenticator.app.io"]
This rule rejects all requests with a token to "login".
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: gateway-deny-token-login
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
action: DENY
rules:
- from:
- source:
requestPrincipals: ["auth@app.io/*"]
to:
- operation:
hosts: ["authenticator.app.io"]
paths: ["/auth/login"]
According to: https://kiali.io/docs/features/validations/ The present validation points out those rules referencing a host that don’t exist in the authorization policy namespace. Kiali considers services and service entries. Those hosts that refers to hosts outside of the object namespace will be presented with an unknow error."
But "ingressgateway" & JWT rules ares on namespace "istio-system" and my services are on my namespace.
How made Kiali happy ?
Thanks for your help
I found a solution... I don't know if it's "the" solution, but it works.
1 - I have configured 'ingress' with the host: ["*"] for HTTP and HTTPS redirection (Gateway).
2 - I did not touch the configuration of "jwtRules" (RequestAuthentication).
3 - I grouped all my "VirtualService" into one and exposing the api of my different "hosts" with "HTTPRoute".
4 - I have rewritten the "AuthorizationPolicy" to match the new api mapping.
Note: Don't forget to delete the old "VirtualService".
After that everything works as before, but I no longer need to specify "host" in the header of the request, but above all, I am no longer Kiali errors!