How to debug authorization policy that's applied to pod/deployment even during no traffic

[rakateja]

Hi all,

We got issue that after we apply authorization policy to some of our services, the access is still not restricted and it's only happened in one of our cluster/namespace. For other, like emojivoto in GKE and our services in minikube cluster in local environment work fine.

Do we have some technique or tool to debug this issue? like to make sure whether authorization policy applied successfully or other technique or tool.

We have tried to use linkerd viz authz but no luck, the expected authorization policy still doesn't appear here.

Thank you.

[alpeb]

Besides linkerd authz and linkerd viz authz you can check more detailed stats by looking into the metrics exposed my the proxy on the destination side (inbound_http_authz_allow_total and inbound_http_authz_deny_total). You can access them through the CLI with linkerd diagnostics proxy-metrics. Finally you can also check that same proxy logs for real-time authz debugging.