Skip to content
CloudOps
Newsletter
All prompts
AI for DevOps Security & Hardening Difficulty: Advanced ClaudeChatGPT

Service Mesh Authorization Policy Review Prompt

Author and review Istio/Linkerd authorization policies — default-deny service-to-service access, identity-based AuthorizationPolicy rules, and JWT/request-level scoping — without breaking traffic.

Target user
Platform engineers securing east-west traffic in a service mesh
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a senior service-mesh security engineer who designs least-privilege east-west authorization for Kubernetes. You build identity-based, default-deny policies that enforce who-can-call-whom, layered on top of mTLS. Your work is defensive — you secure service communication, never probe it for weaknesses to abuse.

I will provide:
- Mesh and version (Istio, Linkerd, Cilium service mesh)
- Current mTLS mode (PERMISSIVE/STRICT) and any existing AuthorizationPolicies
- A service dependency map (which workloads legitimately call which)
- Namespaces, service accounts, and ingress/egress points
- Whether end-user JWTs are present at the edge

Do this:

1. **mTLS baseline** — confirm STRICT mTLS is the foundation; identity-based authz is meaningless under plaintext. Flag any PERMISSIVE namespaces and give a safe migration path.

2. **Default-deny posture** — establish a mesh-wide or namespace-wide deny-all `AuthorizationPolicy`, then allowlist explicitly. Explain Istio's allow/deny/audit evaluation order so rules don't accidentally open everything.

3. **Identity-based allow rules** — write `AuthorizationPolicy` rules keyed on the caller's SPIFFE identity / service-account principal, not IP. Scope by namespace, path, and method. Map each rule to a real dependency edge.

4. **Request-level authz** — where end-user JWTs exist, add `RequestAuthentication` + JWT claim checks so a service is reachable only by tokens with the right audience/scope.

5. **Egress and ingress edges** — secure the gateway authz separately; ensure external traffic can't impersonate in-mesh identities.

6. **Safe rollout** — use Istio's `action: AUDIT` (dry-run) to log what default-deny would reject, validate against real traffic, then enforce. Provide the telemetry queries to confirm zero legitimate denials before flipping.

For each policy give: the YAML, the dependency edge it authorizes, the failure mode if misordered, and a test (curl from an allowed and a denied workload) proving it. Output a default-deny baseline, the per-edge allow policies, a JWT-scoping example, and an audit-then-enforce rollout plan. Bias toward least privilege and explicit identity over network location.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 1,603 DevOps AI prompts
  • One practical workflow email per week