Skip to content
This repository has been archived by the owner on Mar 27, 2023. It is now read-only.

RFE: Report conflicting Auth Policies #11

Open
andrewjjenkins opened this issue Jul 11, 2018 · 0 comments
Open

RFE: Report conflicting Auth Policies #11

andrewjjenkins opened this issue Jul 11, 2018 · 0 comments
Labels
enhancement

Comments

@andrewjjenkins
Copy link
Contributor

I can write AuthPolicies that conflict. For instance, the first policy turns mTLS on and the second turns it off:

apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: "example-1"
  namespace: "bar"
spec:
  targets:
  - name: httpbin
    ports:
    - number: 8001
  peers:
  - mtls: {}
---
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: "example-2"
  namespace: "bar"
spec:
  targets:
  - name: httpbin
    ports:
    - number: 8001
  peers:

In this case, behavior by pilot appears to be non-deterministic (for 0.8.0 at least, I would observe different behavior each time I applied these policies). In any case, it's hard to decide what to do and the user probably didn't mean to configure this way. We should warn them.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@andrewjjenkins