Istio service entry, along with an authorization policy is causing 403 errors

[OS-kiranmalsetty]

Implemented an Istio service entry for our internal service, along with an authorization policy as below. we also have a default sidecar to restrict traffic between namespaces.

ServiceEntry: apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: ........ spec: exportTo: - . hosts: - xxxxxxx.xxxxxx.svc.cluster.local location: MESH_INTERNAL ports: - name: http-xxxx number: 8080 protocol: HTTP - name: http-yyyy number: 8081 protocol: HTTP resolution: NONE AuthorizationPolicy: apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: ....... spec: action: ALLOW rules: - from: - source: principals: - cluster.local/ns/xxxxxxx/sa/xxxxxxx - from: - source: namespaces: - yyyyyyyy to: - operation: methods: - GET paths: - /test - to: - operation: ports: - '8090' selector: matchLabels: app: zzzzzzzz However, after upgrading Istio to version 1.20, we've noticed the emergence of 403 errors. Interestingly, when we remove all the rules from the authorization policy, the 403 errors disappear. Any insights on what might be causing this and how to address it would be greatly appreciated.