Istio AuthorizationPoicy and service on separated ports (exclude port)

Question

I applied such AuthorizationPolicy for our mailhog kubernetes service, which publishing HTTP port on 80 and SMTP on 25, to reastict access to its HTTP service only for authorized users.

apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  labels:
    argocd.argoproj.io/instance: ephemeral-devops
  name: oauth-mailhog-jwt
  namespace: devops
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        ports:
        - "25"
  - to:
    - operation:
        paths:
        - /*
    when:
    - key: request.auth.claims[groups]
      values:
      - devops
      - devs
  selector:
    matchLabels:
      app: mailhog

For HTTP connections its working like it should but its blocking port 25 too. When this is applied connection to SMTP port from internal cluster applications are rejected:

# telnet mailhog-service 25
Trying 10.73.115.185...
Connected to mailhog-service.
Escape character is '^]'.
HELO
Connection closed by foreign host.

Without this policy everything is working. How can i exclude this SMTP port from applying this policy?

Answer 1

Problem here was port. We not using service ports in AuthorizationPolicies but Pod ports as they are binded to Pod not to Service. So it shoud be configured like this:

apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  labels:
    argocd.argoproj.io/instance: ephemeral-devops
  name: oauth-mailhog-jwt
  namespace: devops
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        ports:
        - "25" <--- this should be SMTP port exposed by Pod not from Service
  - to:
    - operation:
        paths:
        - /*
    when:
    - key: request.auth.claims[groups]
      values:
      - devops
      - devs
  selector:
    matchLabels:
      app: mailhog