Expected Behavior
Trying to apply opa external authorizer as separate pod using CUSTOM authorization policy
Activator request keeps timing out
see link - https://istio.io/latest/blog/2021/better-external-authz/
Want to be able to authorize request using opa and rego policy defined in a bundle server running in Azure storage account
Actual Behavior
deploy a knative service, which runs fine.
deploy opa as a seperate pod option
inject istio to namespace using label istio-injection=enabled
inject opa to namespace as a namespace label - opa-istio-injection=enabled
Opa pods starts and runs okay as side car
Steps to Reproduce the Problem
- deploy a knative service, which runs fine.
- apply below envoy filter using target/label selector
3.wait for pod to scale to zero, then the service is no longer recheable.
Steps to repro the issue
- Create a namespace called opa-knative
- Label namespace as istio-injection-=enabled
3.deployment bundle configmap
- deploy knative service application
- deploy opa external auth
- set namespace label to opa-istio-injection=enabled
- deploy and configure istio configmap to inject opa ext endpoint
- expose the endpoint through virtual service or ingress gateway
- deploy exter auth with following config (CUSTOM)
Authorization Policy
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbinary
namespace: opa-knative
spec:
selector:
matchLabels:
app: httpbinary
action: CUSTOM
provider:
name: "opa.opa-knative"
rules:
- to:
- operation:
notPaths: ["/ip"]
Configmap
apiVersion: v1
data:
mesh: |-
defaultConfig:
extensionProviders:
- name: "opa.opa-knative"
envoyExtAuthzGrpc:
service: "opa.opa-knative.svc.cluster.local"
port: "9191"
Additional Info
The request endpoint is as following
http://10.111.1000.100/headers
Error
Activator time out
Logs:
Activator log error
kubectl logs activator-dd544f9cc-rbqkf -n knative-serving | grep error
{"severity":"WARNING","timestamp":"2022-11-17T13:51:46.558659653Z","logger":"activator","caller":"net/revision_backends.go:342","message":"Failed probing pods","commit":"e82287d","knative.dev/controller":"activator","knative.dev/pod":"activator-dd544f9cc-rbqkf","knative.dev/key":"opa-knative/httpbinary-00001","curDests":{"ready":"10.244.4.128:8012","notReady":""},"error":"unexpected status code: want [200], got 403"}
Expected Behavior
Trying to apply opa external authorizer as separate pod using CUSTOM authorization policy
Activator request keeps timing out
see link - https://istio.io/latest/blog/2021/better-external-authz/
Want to be able to authorize request using opa and rego policy defined in a bundle server running in Azure storage account
Actual Behavior
deploy a knative service, which runs fine.
deploy opa as a seperate pod option
inject istio to namespace using label istio-injection=enabled
inject opa to namespace as a namespace label - opa-istio-injection=enabled
Opa pods starts and runs okay as side car
Steps to Reproduce the Problem
3.wait for pod to scale to zero, then the service is no longer recheable.
Steps to repro the issue
3.deployment bundle configmap
Authorization Policy
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbinary
namespace: opa-knative
spec:
selector:
matchLabels:
app: httpbinary
action: CUSTOM
provider:
name: "opa.opa-knative"
rules:
notPaths: ["/ip"]
Configmap
apiVersion: v1
data:
mesh: |-
defaultConfig:
extensionProviders:
- name: "opa.opa-knative"
envoyExtAuthzGrpc:
service: "opa.opa-knative.svc.cluster.local"
port: "9191"
Additional Info
The request endpoint is as following
http://10.111.1000.100/headers
Error
Activator time out
Logs:
Activator log error
kubectl logs activator-dd544f9cc-rbqkf -n knative-serving | grep error
{"severity":"WARNING","timestamp":"2022-11-17T13:51:46.558659653Z","logger":"activator","caller":"net/revision_backends.go:342","message":"Failed probing pods","commit":"e82287d","knative.dev/controller":"activator","knative.dev/pod":"activator-dd544f9cc-rbqkf","knative.dev/key":"opa-knative/httpbinary-00001","curDests":{"ready":"10.244.4.128:8012","notReady":""},"error":"unexpected status code: want [200], got 403"}