kubectl get server data-manager-server -n labtest -o yaml apiVersion: policy.linkerd.io/v1beta3 kind: Server metadata: labels: kustomize.toolkit.fluxcd.io/name: labtest kustomize.toolkit.fluxcd.io/namespace: labtest name: data-manager-server namespace: labtest spec: accessPolicy: deny podSelector: matchLabels: app: data-manager port: 443 proxyProtocol: TLS --- kubectl get authorizationpolicy -n labtest -o yaml apiVersion: v1 items: - apiVersion: policy.linkerd.io/v1alpha1 kind: AuthorizationPolicy metadata: labels: kustomize.toolkit.fluxcd.io/name: labtest kustomize.toolkit.fluxcd.io/namespace: labtest name: data-manager-policy namespace: labtest spec: requiredAuthenticationRefs: - group: policy.linkerd.io kind: MeshTLSAuthentication name: data-manager-authn targetRef: group: policy.linkerd.io kind: Server name: data-manager-server kind: List metadata: resourceVersion: "" --- kubectl get MeshTLSAuthentication -n labtest -o yaml apiVersion: v1 items: - apiVersion: policy.linkerd.io/v1alpha1 kind: MeshTLSAuthentication metadata: labels: kustomize.toolkit.fluxcd.io/name: labtest kustomize.toolkit.fluxcd.io/namespace: labtest name: data-manager-authn namespace: labtest spec: identities: - gateway-sa.labtest.serviceaccount.identity.linkerd.cluster.local kind: List metadata: resourceVersion: "" --------------------------- curl logs(roar-be pod is in labtest-drm namespace.) kubectl exec --stdin --tty roar-be-845d5fdbb6-rmnlt -c roar-be -- /bin/sh sh-5.1$ curl -vk https://data-manager.labtest.svc.cluster.local * Trying 172.20.85.19:443... * Connected to data-manager.labtest.svc.cluster.local (172.20.85.19) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * CAfile: /etc/pki/tls/certs/ca-bundle.crt * TLSv1.0 (OUT), TLS header, Certificate Status (22): * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS header, Finished (20): * TLSv1.2 (IN), TLS header, Unknown (23): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.2 (IN), TLS header, Unknown (23): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS header, Unknown (23): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.2 (IN), TLS header, Unknown (23): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.2 (OUT), TLS header, Finished (20): * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS header, Unknown (23): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / ******* * ALPN, server did not agree to a protocol * Server certificate: * subject: C=*******; O=*******; CN=data-manager.labtest.k8s-nlb.aws.*******.******* * start date: Jan 13 17:04:17 2025 GMT * expire date: Jan 13 17:04:17 2027 GMT * issuer: C=*******; O=*******; CN=******* * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway. * TLSv1.2 (OUT), TLS header, Unknown (23): > GET / HTTP/1.1 > Host: data-manager.labtest.svc.cluster.local > User-Agent: curl/7.76.1 > Accept: */* > * TLSv1.2 (IN), TLS header, Unknown (23): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * TLSv1.2 (IN), TLS header, Unknown (23): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * old SSL session ID is stale, removing * TLSv1.2 (IN), TLS header, Unknown (23): * Mark bundle as not supporting multiuse < HTTP/1.1 404 Not Found < date: Thu, 20 Feb 2025 12:54:37 GMT < server: uvicorn < content-length: 22 < content-type: application/json < * TLSv1.2 (IN), TLS header, Unknown (23): * Connection #0 to host data-manager.labtest.svc.cluster.local left intact