MeshTrafficPermission: prometheus listener doesn't allow traffic with allow-all policy

[lukidzi]

What happened?

When kuma uses the default MeshTrafficPermission that allows all the traffic, changes for RBAC are not applied to the kuma:metrics:prometheus listener. In this case, traffic from the scraper cannot reach the services endpoint.

apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
  namespace: kuma-system
  name: allow-all
spec:
  targetRef:
    kind: Mesh
  from:
    - targetRef:
        kind: Mesh
      default:
        action: Allow

config_dump of rbac kuma:metrics:prometheus listener when using MeshTrafficPermission

        {
           "name": "envoy.filters.network.rbac",
           "typed_config": {
            "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
            "rules": {},
            "stat_prefix": "kuma_metrics_prometheus."
           }
          },

When we switch to TrafficPermisson traffic works.

apiVersion: kuma.io/v1alpha1
kind: TrafficPermission
mesh: default
metadata:
  name: allow-all-traffic
spec:
  sources:
    - match:
        kuma.io/service: '*'
  destinations:
    - match:
        kuma.io/service: '*'

config_dump of rbac kuma:metrics:prometheus listener when using TrafficPermission

        {
           "name": "envoy.filters.network.rbac",
           "typed_config": {
            "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
            "rules": {
             "policies": {
              "allow-all-traffic": {
               "permissions": [
                {
                 "any": true
                }
               ],
               "principals": [
                {
                 "any": true
                }
               ]
              }
             }
            },
            "stat_prefix": "kuma_metrics_prometheus."
           }
          },

[lukidzi]

We talked with @lobkovilya and concluded that it's not a quick fix to make it work. We use the DP object when building a rules view for the policies. That object doesn't have all inbounds that dataplane can have. E.g.: Prometheus, admin, probe. Because of this new policies cannot be applied to listeners that are not defined in a DP object. https://github.com/kumahq/kuma/blob/master/pkg/plugins/policies/core/matchers/dataplane.go#L194

as a workaround, we can use just to allow prometheus traffic and policies for the services we can define with MeshTrafficPermission

apiVersion: kuma.io/v1alpha1
kind: TrafficPermission
mesh: default
metadata:
  name: metrics-permissions
spec:
  sources:
    - match:
       kuma.io/service: "*"
  destinations:
    - match:
       kuma.io/service: dataplane-metrics

xref: #5708

[lahabana]

How about simply ignoring "system" listeners (prometheus, admin, probe) when applying RBAC?
It might be imperfect but good enough?