Hey everyone! I've been troubleshooting a frustrating problem for hours: my AuthorizationPolicy isn't applying as intended. I'm running a k3s cluster at home (not on a cloud service) and using Istio in Ambient Mode alongside Authentik for single sign-on (SSO). For example, with my BentoPDF app, I want users to log in through Authentik before accessing it. I'm using Kubernetes' Gateway API version 1.5. I've set up several configurations to achieve this, including Helm releases and gateway definitions, but I can confirm that while BentoPDF is accessible, there's no authentication screen appearing. The AuthorizationPolicy is accepted but seems not to trigger. I'm at a loss for what to check next and would really appreciate any help or insights into where I might be going wrong!
3 Answers
It sounds like you're experiencing one of those classic 'everything looks perfect, but nothing works' situations with Istio. If the Waypoint is showing zero logs, it’s likely that traffic isn’t reaching it, which means your authorization isn’t triggering at all. Ambient mode can have its quirks. I’d suggest setting up a very basic configuration without the waypoint just to confirm that the authentication works, then progressively add complexity back into your setup.
I couldn't find any documentation on this specific issue, but have you tried modifying your setup by adding a label like `istio.io/waypoint-for: all`? It's possible that your Gateway might be resolving pod IPs directly instead of the Service IP, which could be why the authorization isn't being applied. Using tcpdump on the node to check the IP traffic might also help, along with looking into the Envoy configuration for your Gateway.
I haven’t worked with cross-namespace waypoints, so I can’t offer too much help there. However, I’ve seen situations where waypoints are bypassed if neither the namespace nor the service has the label `istio.io/ingress-use-waypoint: true`. So it might be worth trying to see if that changes anything.
Related Questions
How To Get Your Domain Unblocked From Facebook
How To Find A String In a Directory of Files Using Linux