istioistio-sidecar

Simplest way to allow some services to connect to other services with Istio


I have a kubernetes cluster running with Istio injection enabled for the used namespace. Each pod has two containers, the usual one and the additional envoy proxy container. I want to enforce access for services, I have 17 services and I want that service A (the first) can only connect to around 10 of the possible services (10 out of 16). I have created a Sidecar yaml file with this content:

apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
  name: service-a-sidecar
  namespace: default
spec:
  workloadSelector:
    labels:
      app: service-a
  egress:
  - hosts:
    - "./service-b.default.svc.cluster.local"
    - "./service-c.default.svc.cluster.local"
    - "./service-d.default.svc.cluster.local"
    - "istio-system/*"

I want service-a to be able to connect to service-e, but I have not added it to this sidecar YAML file, as I have some calls which imply service-a => service-e connection and I want to verify that this file would prevent the connection. So I apply this file with

 kubectl apply -f this.yaml

and kill the pod with the app label equal to service-a. When it restarts, I do something in the application that will imply communication between service-a and service-e. The above sidecar does not prevent it. Should it? An egress gateway should be used for what I want to achieve?


Solution

  • This can be achieved with a virtual service such as:

    apiVersion: networking.istio.io/v1alpha3
    kind: VirtualService
    metadata:
      name: a-e-blocker
    spec:
      gateways:
      - mesh
      hosts:
      - service-b.default.svc.cluster.local
      http:
      - name: match-service-a
        match:
        - sourceLabels:
            service: a
        directResponse:
          status: 503
          body:
            string: "Not allowed"
            
    

    This creates a rule that applies to service b and will match any traffic that comes from something with a label of service: a (note you will have to add this label to service a for this to work). When it matches it will then return a response of 503.

    The Traffic Management article on the Istio page has more information about virtual services.