Access Control List

Before Start

You should have NO virtualservice nor destinationrule (in tutorial namespace) kubectl get virtualservice kubectl get destinationrule if so run:

./scripts/clean.sh tutorial

You need to enable Policy Enforcement to make this works. To validate if it is enabled just run:

kubectl -n istio-system get cm istio -o jsonpath="{@.data.mesh}" | grep disablePolicyChecks

The result should be disablePolicyChecks is false. If you installed Istio using istio-demo.yaml file then it is enabled by default.

If the result is true then refer to https://istio.io/docs/tasks/policy-enforcement/enabling-policy/ to enable it.

The Access Control rules take some time to be applied and reflected. Be patient here!

Whitelist

We’ll create a whitelist that will only allow the next communication path: customer → preference → recommendation. Any other path will result to a 403 HTTP error.

kubectl create -f istiofiles/acl-whitelist.yml -n tutorial

Then if you do:

curl $GATEWAY_URL/customer
customer => preference => recommendation v2 from '6b569c9cfb-g8shk': 5

Of course everything is still valid but let’s go inside customer pod:

kubectl exec -it -n tutorial $(kubectl get pods -n tutorial|grep customer|awk '{ print $1 }'|head -1) -c customer /bin/bash

You will be inside the application container of your pod customer-86ccc8746d-c6kfb. Now execute:

curl preference:8080
preference => recommendation v1 from '868bf96bfc-425m6': 5
curl recommendation:8080
Error: 403 - PERMISSION_DENIED:
exit

So as you can see customer can only do a request to preference service but not to recommendation.

Clean up

kubectl delete -f istiofiles/acl-whitelist.yml -n tutorial

Blacklist

We’ll create a blacklist making the customer service blacklist to the preference service. Requests from the customer service to the preference service will return a 403 Forbidden HTTP error code.

kubectl create -f istiofiles/acl-blacklist.yml -n tutorial
curl $GATEWAY_URL/customer
customer => Error: 403 - PERMISSION_DENIED:denycustomerhandler.denier.tutorial:Not allowed

Clean up

kubectl delete -f istiofiles/acl-blacklist.yml -n tutorial