How To Utilize Network Policy with Ambient? #51586
-
👋🏾 Hi there! I am trying to move workloads to ambient in a zero-trust cluster, but for the life of me I can't figure out what Network Policy should look like for this -- with the previous sidecar model network policy just worked, and I think that's supposed to be the case here. ztunnel does seem to be picking up traffic:
These requests are initiated from a browser, so it also seems like the net policy from the ingress gateway (defined using the K8S Gateway API) is working out okay. It's probably worth noting that I saw there was some testing done (#49301), but couldn't find any documentation on how or what was done. If I could get some help here, I'd be more than happy to document this for the Istio docs for future users. Thanks! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
So "connection closed due to policy rejection" is from an AuthorizationPolicy denying things, not a network policy. There are two connections here, one to the API server. This lasted 3s and exchanged a lot of data, but the client (kiali) disconnected before all the data was read. This doesn't seem like a policy error, just kiali not fully reading the body. The second connection seems unrelated to the first, but is denied by an authz policy. Neither of these seem to be networkpolicy issues. Happy to help iterate on this more quickly on slack if you are on it btw, in #ambient or DM |
Beta Was this translation helpful? Give feedback.
For future readers, on slack we found: