How to ALLOW access to a specific path only from within a namespace in istio/k8s?

Question

I have an application running on K8s/istio in foo namespace. I don't have any Authorization Policy and everything works as expected. Now I want to ALLOW access to a specific path only from within bar namespace. So I created an AuthorizationPolicy as follow:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: deny-specific-path
  namespace: foo
spec:
  selector:
    matchLabels:
      app: myapp
  action: DENY
  rules:
    - to:
      - operation:
          paths: ["/specific/path/*"]
    - from:
      - source:
          notNamespaces: ["bar"]

My understanding is the above AP should only allow access to /specific/path/* path from bar namespace. Any other path access should not get affected and work as before. But this causes other paths in my application to be denied including accessing home page /home of the app. What is wrong here? appreciate any help.

Answer 1

My understanding is the above AP should only allow access to /specific/path/* path from bar namespace.

This is not correct, because of the list of elements in your rules section. You have two rules here.

  rules:
    - to:
      - operation:
          paths: ["/specific/path/*"]
    - from:
      - source:
          notNamespaces: ["bar"]

The first rule applies to requests targeting /specific/path/* and the second rule applies to requests coming from anywhere except the bar namespace.

Each element in a list or rules is OR'd together. It sounds like you want to AND these two rules together, so try removing the - from the second one (making it into one rule with a from and to clause).