UNCLASSIFIED - NO CUI

Replace global monitoring sso AuthorizationPolicy for authservice

Prior to bb-common integration there was an AuthorizationPolicy created by monitoring that allowed traffic to authservice enabled pods from prometheus and alertmanager.

It was removed in !478 (merged).

The file existed to to account for the following scenario:

  • hardened was not enabled (no authorization policies permitting traffic, like intra-namespace allow)
  • sso (authservice) was enabled

The pods in the monitoring namespace opted into authservice would be subject to the global AuthorizationPolicies created by Authservice, but there would be no corresponding allow policy to permit any other traffic.

For example the pod logs:

$ kubectl logs pod/alertmanager-monitoring-monitoring-kube-alertmanager-0 -n monitoring -c istio-proxy

[2026-03-19T17:08:50.838Z] "GET /metrics HTTP/2" 403 - rbac_access_denied_matched_policy[none] - "-" 0 19 1 - "-" "Prometheus/3.10.0" "9fc8eaf3-85a4-4b6d-8f9f-6937cb280cbf" "10.42.2.9:9093" "-" inbound|9093|| - 10.42.2.9:9093 10.42.2.10:59684 - default
[2026-03-19T17:08:56.154Z] "GET /metrics HTTP/2" 403 - rbac_access_denied_matched_policy[none] - "-" 0 19 1 - "-" "Prometheus/3.10.0" "e157cc75-17eb-47dc-96cc-c2ed8ffe6660" "10.42.2.9:8080" "-" inbound|8080|| - 10.42.2.9:8080 10.42.2.10:60160 - default
[2026-03-19T17:08:56.248Z] "POST /api/v2/alerts HTTP/2" 403 - rbac_access_denied_matched_policy[none] - "-" 2593 19 1 - "-" "Prometheus/3.10.0" "860835c3-9f19-4015-8cb2-40f9c82f8995" "10.42.2.9:9093" "-" inbound|9093|| - 10.42.2.9:9093 10.42.2.10:57238 - default
[2026-03-19T17:09:07.101Z] "POST /api/v2/alerts HTTP/2" 403 - rbac_access_denied_matched_policy[none] - "-" 654 19 1 - "-" "Prometheus/3.10.0" "11a6d1ac-bc23-4898-b394-ec2c76e2a5a7" "10.42.2.9:9093" "-" inbound|9093|| - 10.42.2.9:9093 10.42.2.10:57238 - default
[2026-03-19T17:09:20.838Z] "GET /metrics HTTP/2" 403 - rbac_access_denied_matched_policy[none] - "-" 0 19 3 - "-" "Prometheus/3.10.0" "f675a413-6561-4856-81c6-20e5459d2d93" "10.42.2.9:9093" "-" inbound|9093|| - 10.42.2.9:9093 10.42.2.10:59684 - default
[2026-03-19T17:09:21.364Z] "POST /api/v2/alerts HTTP/2" 403 - rbac_access_denied_matched_policy[none] - "-" 3033 19 3 - "-" "Prometheus/3.10.0" "091b233f-74ee-416c-b763-a66c16713ecf" "10.42.2.9:9093" "-" inbound|9093|| - 10.42.2.9:9093 10.42.2.10:57238 - default
[2026-03-19T17:09:26.154Z] "GET /metrics HTTP/2" 403 - rbac_access_denied_matched_policy[none] - "-" 0 19 0 - "-" "Prometheus/3.10.0" "3a627a7f-07cc-4390-9f9f-63630396e964" "10.42.2.9:8080" "-" inbound|8080|| - 10.42.2.9:8080 10.42.2.10:60160 - default

UNCLASSIFIED - NO CUI