Access Control List

Before StartYou should have NO virtualservice nor destinationrule (in tutorial namespace) kubectl get virtualservice kubectl get destinationruleif so run:
  1. ./scripts/clean.sh tutorial
You need to enable Policy Enforcement to make this works.To validate if it is enabled just run:kubectl -n istio-system get cm istio -o jsonpath="{@.data.mesh}" | grep disablePolicyChecksThe result should be disablePolicyChecks is false.If you installed Istio using istio-demo.yaml file then it is enabled by default.If the result is true then refer to https://istio.io/docs/tasks/policy-enforcement/enabling-policy/ to enable it.
The Access Control rules take some time to be applied and reflected. Be patient here!

Whitelist

We’ll create a whitelist that will only allow the next communication path: customer → preference → recommendation.Any other path will result to a 403 HTTP error.

  1. kubectl create -f istiofiles/acl-whitelist.yml -n tutorial

Then if you do:

  1. curl istio-ingressgateway-istio-system.$(minishift ip).nip.io/customer
  2. customer => preference => recommendation v2 from '6b569c9cfb-g8shk': 5

Of course everything is still valid but let’s go inside customer pod:

  1. oc exec -it -n tutorial $(oc get pods -n tutorial|grep customer|awk '{ print $1 }'|head -1) -c customer /bin/bash
  2. or
  3. kubectl exec -it -n tutorial $(kubectl get pods -n tutorial|grep customer|awk '{ print $1 }'|head -1) -c customer /bin/bash

You will be inside the application container of your pod customer-86ccc8746d-c6kfb. Now execute:

  1. curl preference:8080
  2. preference => recommendation v1 from '868bf96bfc-425m6': 5
  4. curl recommendation:8080
  5. Error: 403 - PERMISSION_DENIED:
  7. exit

So as you can see customer can only do a request to preference service but not to recommendation.

Clean up

  1. kubectl delete -f istiofiles/acl-whitelist.yml -n tutorial

Blacklist

We’ll create a blacklist making the customer service blacklist to the preference service. Requests from the customer service to the preference service will return a 403 Forbidden HTTP error code.

  1. kubectl create -f istiofiles/acl-blacklist.yml -n tutorial
  1. curl istio-ingressgateway-istio-system.$(minishift ip).nip.io/customer
  2. customer => Error: 403 - PERMISSION_DENIED:denycustomerhandler.denier.tutorial:Not allowed

Clean up

  1. kubectl delete -f istiofiles/acl-blacklist.yml -n tutorial