Introduction Service mesh authorization policies that are too restrictive block legitimate traffic between services, causing 403 Forbidden errors and breaking application functionality.

Symptoms - HTTP 403 from service mesh proxy - RBAC: access denied error in proxy logs - Traffic working between some services but not others - Authorization policy not matching expected principals - Policy changes not taking effect immediately

Common Causes - Authorization policy too restrictive (DENY all by default) - Principal identity not matching actual service account - Namespace mismatch in policy - Policy not applied to correct workload - mTLS identity not matching policy principal

Step-by-Step Fix 1. **Check authorization policies': ```bash kubectl get authorizationpolicy -n <namespace> kubectl describe authorizationpolicy <name> -n <namespace> ```

  1. 1.**Check if traffic is being denied':
  2. 2.```bash
  3. 3.istioctl analyze -n <namespace>
  4. 4.`
  5. 5.**Fix the authorization policy':
  6. 6.```yaml
  7. 7.apiVersion: security.istio.io/v1beta1
  8. 8.kind: AuthorizationPolicy
  9. 9.metadata:
  10. 10.name: allow-frontend
  11. 11.namespace: backend
  12. 12.spec:
  13. 13.selector:
  14. 14.matchLabels:
  15. 15.app: api
  16. 16.rules:
  17. 17.- from:
  18. 18.- source:
  19. 19.principals: ["cluster.local/ns/frontend/sa/frontend-sa"]
  20. 20.to:
  21. 21.- operation:
  22. 22.methods: ["GET", "POST"]
  23. 23.paths: ["/api/*"]
  24. 24.`

Prevention - Start with ALLOW policy for known service dependencies - Test authorization policies in staging - Use service mesh observability to detect denied traffic - Document service-to-service access requirements - Implement policy review process