ssl: none from centraldashboard to profiles which cause rbac access denied

[emilyyujieli]

Background
We install kubeflow:v1.8.0 and an individual istio:1.20.3.

Issue
When we use DEX to do OIDC authentication and login kubeflow successfully, it will got a rbac access denied error in UI.
We enable RBAC debug log and get log info from profiles-kfam pod.
istioctl pc log --level "rbac:debug" profiles-kfam-*.kubeflow
k logs -f profiles-kfam-*
Then find out that's because traffic from centraldashboard to profiles without ssl and not able to get principals info(cluster.local/ns/kubeflow/sa/centraldashboard) so the authorizationpolicy** profiles-kfam** doesn't work.

Any idea how to fix this issue?

[ReggieCarey]

Did you enable TLS in your Istio service mesh?

[emilyyujieli]

Did you enable TLS in your Istio service mesh?

Yes,l saw the traffic is from centraldashboard to profile,so l created two destinationrule on centraldashboard & profile to enable MTLS. But it still ssl.
centraldashboard

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  labels:
    app: centraldashboard
    kustomize.component: centraldashboard
  name: centraldashboard
  namespace: kubeflow
spec:
  host: centraldashboard.kubeflow.svc.cluster.local
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL

profile

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  labels:
    app: profiles
    kustomize.component: profiles
  name: profiles-kfam
  namespace: kubeflow
spec:
  host: profiles-kfam.kubeflow.svc.cluster.local
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL