AKS Service Mesh-Istio returning unknown gvk: security.istio.io/v1, Kind=AuthorizationPolicy

David Glantz 15 Reputation points
2024-06-18T15:05:56.9466667+00:00

Three months ago I successfully created a AuthorizatioPolicy in the preview version (1.18) of the Istio Service Mesh into our AKS cluster. Yesterday, I made an attempt to modify the policy and received the following error:

Error from server: error when creating "jwtauth.yml": admission webhook "azure-service-mesh-ccp-validating-webhook.azmk8s.io" denied the request: unknown gvk: security.istio.io/v1, Kind=AuthorizationPolicy

I am unable to modify or delete the existing AuthorizationPolicy. I also can't add a new one.

Since the preview version is no longer supported I upgraded to v1.20 and get the same result.

I then installed Istio 1.21 in another AKS instance/subscription to confirm there wasn't something corrupted in the original instance and I get the same error.

Is anyone else experiencing this issue?

The definition of the policy I was attempting to delete/modify is below:

apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  name: payment
spec:
  selector:
    matchLabels:
      app: payment
  action: ALLOW
  rules:
  - to:
    - operation:
        paths:
        - /swagger*
        - /v3/api-docs*
        - /v1/payments
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,145 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Anirban Singha Roy 5 Reputation points
    2024-06-24T06:05:38.66+00:00

    Hi, We were facing this issue as well. We downgraded to "v1beta1" for the time being as a workaround. I have asked support why this issue just started happening all of a sudden. We were using "v1" version for quiet some time.

    1 person found this answer helpful.
    0 comments No comments

  2. Niranjan Shankar 5 Reputation points Microsoft Employee
    2024-06-24T21:44:06.9033333+00:00

    Hi - engineer from the PG here. This was due to an error on our end related to validations we add for Authorization Policy for the v1 API. The fix is in and will go out in the next upcoming AKS release after 2024-06-09 finished rolling out globally. The fix for the time being is to use the v1beta1 API until our fix rolls out. Apologies for any inconvenience.

    In the future, we encourage users to file issues in the AKS GitHub repo with the "mesh" label for faster responses: https://github.com/Azure/aks.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.