Access Control List

Before Start

You should have NO virtualservice nor destinationrule (in tutorial namespace) kubectl get virtualservice kubectl get destinationrule if so run:

./scripts/ tutorial

You need to enable Policy Enforcement to make this works. To validate if it is enabled just run:

kubectl -n istio-system get cm istio -o jsonpath="{}" | grep disablePolicyChecks

The result should be disablePolicyChecks is false. If you installed Istio using istio-demo.yaml file then it is enabled by default.

If the result is true then refer to to enable it.

The Access Control rules take some time to be applied and reflected. Be patient here!


We’ll create a whitelist that will only allow the next communication path: customer → preference → recommendation. Any other path will result to a 403 HTTP error.

kubectl create -f istiofiles/acl-whitelist.yml -n tutorial

Then if you do:

curl $GATEWAY_URL/customer
customer => preference => recommendation v2 from '6b569c9cfb-g8shk': 5

Of course everything is still valid but let’s go inside customer pod:

kubectl exec -it -n tutorial $(kubectl get pods -n tutorial|grep customer|awk '{ print $1 }'|head -1) -c customer /bin/bash

You will be inside the application container of your pod customer-86ccc8746d-c6kfb. Now execute:

curl preference:8080
preference => recommendation v1 from '868bf96bfc-425m6': 5
curl recommendation:8080

So as you can see customer can only do a request to preference service but not to recommendation.

Clean up

kubectl delete -f istiofiles/acl-whitelist.yml -n tutorial


We’ll create a blacklist making the customer service blacklist to the preference service. Requests from the customer service to the preference service will return a 403 Forbidden HTTP error code.

kubectl create -f istiofiles/acl-blacklist.yml -n tutorial
curl $GATEWAY_URL/customer
customer => Error: 403 - PERMISSION_DENIED:denycustomerhandler.denier.tutorial:Not allowed

Clean up

kubectl delete -f istiofiles/acl-blacklist.yml -n tutorial