Policy restrictions not working as expected

[m1nish1208]

I'm trying to apply service access restrictions in our environment. We have an Ocelot API gateway & few other .NET microservices. I want to restrict access such that ocelot will be accessible only via few microservices (say serviceA & serviceB).

Environment Details:
Kubernetes Version: v1.23.5
Cluster Environment: Azure
OS Version: Ubuntu 20.04
Linkerd Details:

Client version: stable-2.11.2
Server version: stable-2.11.2

I've defined following server object:

---
apiVersion: policy.linkerd.io/v1beta1
kind: Server
metadata:
  name: ocelot
  namespace: default
  labels:
    app: ocelot-svc
    app.kubernetes.io/name: ocelot
    app.kubernetes.io/part-of: default
spec:
  podSelector:
    matchExpressions:
    - {key: app, operator: In, values: [ocelot-svc, ocelot]}
  port: http
  proxyProtocol: "HTTP/1"

ServerAuthorization Policy

---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
metadata:
  namespace: default
  name: ocelot
  labels:
    app.kubernetes.io/part-of: default
    app.kubernetes.io/name: ocelot
spec:
  server:
    name: ocelot
  client:
    meshTLS:
      serviceAccounts:
        - name: serviceA
        - name: serviceB

service.yaml

apiVersion: v1
kind: Service
metadata:
  name: ocelot-svc
  namespace: default
spec:
  type: {{ .Values.service.type }}
#  clusterIP: None
  ports:
    - port: 5000
      targetPort: 5000
      protocol: TCP
      name: http
  selector:
    app: ocelot-svc

However when I check using linkerd viz authz -n default deploy/ocelot I get following output, what am I missing?

dev@node1:~$ linkerd viz authz -n default deploy/ocelot
SERVER  AUTHZ   SUCCESS  RPS  LATENCY_P50  LATENCY_P95  LATENCY_P99
ocelot  ocelot        -    -            -            -            -
dev@node1:~$

Container port spec description from deployment.yaml

      containers:
        - name: ocelot-svc
          ports:
          - containerPort: 5000
            name: http

Is there anything I'm missing? Kindly suggest.

[olix0r]

However when I check using linkerd viz authz -n default deploy/ocelot I get following output

Are the clients sending requests to the ocelot service? This tool will only display data if the service is actively being used.

[m1nish1208]

Since its an API gateway all microservices connect to that.. Are you seeing any issues with above configurations? My concern is with port definition. Do I need to make port 5000 as opaque port?

[adleong]

@m1nish1208 you shouldn't need to make 5000 opaque. Based on the viz authz command output, it really looks as if no traffic is being sent. I'd recommend using the linkerd viz stat server and linkerd viz stat deploy commands as well to get a fuller picture of what's going on here.