I have a kubernetes cluster running with Istio injection enabled for the used namespace. Each pod has two containers, the usual one and the additional envoy proxy container. I want to enforce access for services, I have 17 services and I want that service A (the first) can only connect to around 10 of the possible services (10 out of 16). I have created a Sidecar yaml file with this content:
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: service-a-sidecar
namespace: default
spec:
workloadSelector:
labels:
app: service-a
egress:
- hosts:
- "./service-b.default.svc.cluster.local"
- "./service-c.default.svc.cluster.local"
- "./service-d.default.svc.cluster.local"
- "istio-system/*"
I want service-a to be able to connect to service-e, but I have not added it to this sidecar YAML file, as I have some calls which imply service-a => service-e connection and I want to verify that this file would prevent the connection. So I apply this file with
kubectl apply -f this.yaml
and kill the pod with the app label equal to service-a. When it restarts, I do something in the application that will imply communication between service-a and service-e. The above sidecar does not prevent it. Should it? An egress gateway should be used for what I want to achieve?
This can be achieved with a virtual service such as:
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: a-e-blocker
spec:
gateways:
- mesh
hosts:
- service-b.default.svc.cluster.local
http:
- name: match-service-a
match:
- sourceLabels:
service: a
directResponse:
status: 503
body:
string: "Not allowed"
This creates a rule that applies to service b and will match any traffic that comes from something with a label of service: a
(note you will have to add this label to service a for this to work). When it matches it will then return a response of 503
.
The Traffic Management article on the Istio page has more information about virtual services.