Skip to content

There is a problem with setting Authorization for workloads in waypoint managed. #1394

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
LiZhenCheng9527 opened this issue May 12, 2025 · 2 comments · May be fixed by #1402
Open

There is a problem with setting Authorization for workloads in waypoint managed. #1394

LiZhenCheng9527 opened this issue May 12, 2025 · 2 comments · May be fixed by #1402
Assignees
@LiZhenCheng9527
Labels
area/dual-engine kind/bug Something isn't working

Comments

@LiZhenCheng9527
Copy link
Contributor

What happened:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allow-by-srcip
  namespace: default
spec:
  selector:
    matchLabels:
      app: httpbin
  action: ALLOW
  rules:
  - from:
    - source:
        ipBlocks:
        - 10.244.1.46/32

When httpbin is managed by waypoint, even 10.244.1.46 access to httpbin is denied.

What you expected to happen:

How to reproduce it (as minimally and precisely as possible):

Anything else we need to know?:

Environment:

  • Kmesh version:
  • Kmesh mode(kmesh has Kernel-Native Mode and Duel-Engine Mode):
  • Istio version:
  • Kernel version:
  • Others:
@LiZhenCheng9527 LiZhenCheng9527 added the kind/bug Something isn't working label May 12, 2025
@LiZhenCheng9527
Copy link
Contributor Author

Because when src accesses dst, if dst is managed by waypoint. Then for http access, the access link is src->waypoint->dst.
The src addr obtained by dst will become the waypoint's addr, because the waypoint's addr will replace the src's addr. This will result in the link failing to pass the Authorization Policy and the link will fail to be established.

@LiZhenCheng9527
Copy link
Contributor Author

/assign

@LiZhenCheng9527 LiZhenCheng9527 linked a pull request May 15, 2025 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@LiZhenCheng9527 LiZhenCheng9527

Labels
area/dual-engine kind/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Skip offload authz policy when link source is waypoint pod LiZhenCheng9527/kmesh
2 participants
@hzxuzhonghu @LiZhenCheng9527