Access Control List

Before Start

You should have NO virtualservice nor destinationrule (in tutorial namespace) kubectl get virtualservice kubectl get destinationrule if so run:

./scripts/clean.sh tutorial

The Access Control rules take some time to be applied and reflected. Be patient here!

Whitelist

We’ll create a whitelist on the preference service to only allow requests from the recommendation service, which will make the preference service invisible to the customer service. Requests from the customer service to the preference service will return a 404 Not Found HTTP error code.

kubectl create -f istiofiles/acl-whitelist.yml -n tutorial

curl istio-ingressgateway-istio-system.$(minishift ip).nip.io/customer
customer => 404 customer => Error: 403 - PERMISSION_DENIED:preferencewhitelist.listchecker.tutorial:customer is not whitelisted

Clean up

kubectl delete -f istiofiles/acl-whitelist.yml -n tutorial

Blacklist

We’ll create a blacklist making the customer service blacklist to the preference service. Requests from the customer service to the preference service will return a 403 Forbidden HTTP error code.

kubectl create -f istiofiles/acl-blacklist.yml -n tutorial

curl istio-ingressgateway-istio-system.$(minishift ip).nip.io/customer
customer => Error: 403 - PERMISSION_DENIED:denycustomerhandler.denier.tutorial:Not allowed

Clean up

kubectl delete -f istiofiles/acl-blacklist.yml -n tutorial