...
As you can see from the policy config, the rule is applied on Enrichment Service. Any call to Enrichment Service, the envoy proxy will apply this rule and invoke the Istio over OIDC to authenticate the JWT.
Network Policy
There are various open source network policy libraries are available and in this analysis Calico is used. When the rApp is installed in the environment the nonrtric framework will apply the DENY_ALL rule to all the microservices of the rApp.
Note: It is still unclear how the network policy or network traffic restriction can be applied over Platform functions like Policy or SO components.
More fine grained traffic restriction can be applied on the later stage of the life cycle of the rApp microservice.