Creating a "deny all" AuthorizationPolicy in the namespace where Service Mesh is deployed breaks Service Mesh federation

Solution In Progress - Updated -

Issue

  • When a "deny all" AuthorizationPolicy is created in the namespace where the ServiceMeshControlPlane is deployed, federation breaks and traffic is no longer working.
❯ oc logs -n <service-mesh-namespace> -l app=istiod
 [...]
2023-05-04T07:29:30.081642Z     info    federation      starting watch  component=federation-registry
2023-05-04T07:29:30.095114Z     error   federation      watch failed: status code is not OK: 403 (403 Forbidden)        component=federation-registry
2023-05-04T07:30:24.353678Z     info    federation      starting watch  component=federation-registry
2023-05-04T07:30:24.366988Z     error   federation      watch failed: status code is not OK: 403 (403 Forbidden)        component=federation-registry

❯ oc get -n <service-mesh-namespace> servicemeshpeer <smpeer-name>
 [...]
status:
  discoveryStatus:
    inactive:
    - pod: istiod-red-mesh-d48d6df89-2gjn9
      watch:
        connected: false

Environment

  • Red Hat OpenShift Container Platform
    • 4.9 and later
  • Red Hat OpenShift Service Mesh
    • 2.1 and later

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content