Access Control List
Before Start
You should have NO virtualservice nor destinationrule (in
|
The Access Control rules take some time to be applied and reflected. Be patient here! |
Whitelist
We’ll create a whitelist on the preference service to only allow requests from the recommendation service, which will make the preference service invisible to the customer service. Requests from the customer service to the preference service will return a 404 Not Found HTTP error code.
kubectl create -f istiofiles/acl-whitelist.yml -n tutorial
export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}')
curl $(minikube ip):$INGRESS_PORT/customer
customer => 404 customer => Error: 403 - PERMISSION_DENIED:preferencewhitelist.listchecker.tutorial:customer is not whitelisted
Blacklist
We’ll create a blacklist making the customer service blacklist to the preference service. Requests from the customer service to the preference service will return a 403 Forbidden HTTP error code.
kubectl create -f istiofiles/acl-blacklist.yml -n tutorial
export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}')
curl $(minikube ip):$INGRESS_PORT/customer
customer => Error: 403 - PERMISSION_DENIED:denycustomerhandler.denier.tutorial:Not allowed