I'm currently using Istio Ambient Mesh and need a secure setup for a specific namespace I've named 'ai-namespace'. My goal is to ensure that the applications within this namespace can only make requests to the ChatGPT API (api.openai.com) while blocking access to any other external URLs or systems. I want to achieve this without changing the global outbound traffic policy to REGISTRY_ONLY, as I don't want to disrupt egress for other namespaces in the cluster. Can someone share the best approach to effectively isolate this namespace using Waypoint proxies and AuthorizationPolicies, without relying on sidecars?
1 Answer
You can use NetworkPolicies to restrict the outbound traffic from your ai-namespace. However, be aware that NetworkPolicies operate at layer 3/4, meaning they won't give you full control over layer 7 protocols, which is what you need for API-level restrictions.
Exactly! For layer 7 controls, you're going to need AuthorizationPolicies in addition to NetworkPolicies to effectively manage access to the ChatGPT API. Just make sure your policies are set up correctly to allow traffic only to that endpoint.