From 31e6864a2aac185eca7f35a1a761f99b32fde605 Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Fri, 15 May 2026 22:53:56 -0400 Subject: [PATCH] fix(irc): switch AuthorizationPolicies to selector-based for ztunnel L4 enforcement MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit targetRefs: kind: Service policies require waypoint binding which is not working in Istio 1.29.2 — WaypointAccepted: False and ztunnel routes directly to pods bypassing the waypoint. Selector-based policies are enforced at ztunnel L4 without requiring waypoint. --- thelounge/authorizationpolicy.yaml | 7 +++---- znc/authorizationpolicy.yaml | 11 +++++++---- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/thelounge/authorizationpolicy.yaml b/thelounge/authorizationpolicy.yaml index c442f94..ffefe90 100644 --- a/thelounge/authorizationpolicy.yaml +++ b/thelounge/authorizationpolicy.yaml @@ -4,10 +4,9 @@ metadata: name: thelounge namespace: irc spec: - targetRefs: - - group: "" - kind: Service - name: thelounge + selector: + matchLabels: + app.kubernetes.io/name: thelounge action: ALLOW rules: - from: diff --git a/znc/authorizationpolicy.yaml b/znc/authorizationpolicy.yaml index c4a4e61..4658032 100644 --- a/znc/authorizationpolicy.yaml +++ b/znc/authorizationpolicy.yaml @@ -4,12 +4,15 @@ metadata: name: znc namespace: irc spec: - targetRefs: - - group: "" - kind: Service - name: znc + selector: + matchLabels: + app.kubernetes.io/name: znc action: ALLOW rules: + - from: + - source: + namespaces: + - irc - to: - operation: ports: