Can I make some special service deny or allow some service? such as
reviews.default.svc can access rating.demo.svc ?
This is well documented in the authorization task. Please read though Istio / Authorization