(unconfirmed) istio-ingress will not work when an allow-nothing policy is deployed

[ca-scribner]

Bug Description

(this is something I haven't reproduced yet, but afaict it is true. We should demonstrate it before implementing anything though)

Based on this conversation in istio's slack, Gateway API Ingress Gateways can have AuthorizationPolicies bound to them by selector. waypoint Gateways are a special case that ignore the selector and only receive policies via targetRef, but ingress Gateways can receive policies via both selector and targetRef.

The consequence of this is that, if the namespace where the ingress is deployed has a allow-nothing policy, the ingress will (inside the gateway) enforce that policy and not allow anything through. So if we did something like:

juju deploy istio-k8s -m istio-system
juju deploy istio-ingress-k8s -m user-space
juju deploy istio-beacon-k8s -m user-space --config harden-by-making-allow-nothing-policy=true

the allow-nothing policy in user-space will effectively disable the ingress. We should either warn users about this, or create authorization policies that allow everything external (or at least allow it if there's not some other restriction? not sure).

We could also consider turning off ENABLE_SELECTOR_BASED_K8S_GATEWAY_POLICY here, but that will be surprising to people used to how things worked in sidecar

To Reproduce

Environment

Relevant log output

-

Additional context

No response