How to restricted access external service on special app

I want to limit some pod to access external service. two app A and B, A can access example.com, but B can’t access example.com. A and B in same namespace.
create the serviceentry for external service

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: example
spec:
  hosts:
  - example.com
  addresses:
  - 192.168.0.13
  ports:
  - number: 8888
    name: tcp-8888
    protocol: TCP
  - number: 443
    name: tcp-443
    protocol: TCP
  location: MESH_EXTERNAL
  exportTo:
    - .

create policy to limit pod label contain app is app1 can access this serviceentry

apiVersion: config.istio.io/v1alpha2
kind: handler
metadata:
  name: whitelist
spec:
  compiledAdapter: listchecker
  params:
    overrides:
      - app1
    blacklist: false

---
apiVersion: config.istio.io/v1alpha2
kind: instance
metadata:
  name: appname
spec:
  compiledTemplate: listentry
  params:
    value: source.labels["app"]

---
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
  name: checkapp
spec:
  match: destination.service.host == "example.com"
  actions:
  - handler: whitelist
    instances: [ appname ]

but it not work
istio 1.4.0 and kubernetes 1.14.4

I have the similar kind of request as well, Please let me know if you are able to solve this :slight_smile:

@wu0407: Were you able to solve this?
The approach looks right… Can you make sure from istio mixer logs that the values of your attributes source.labels["app"] and destination.service.host == "example.com" are the one’s you expect them to be?

yes,mixer logs has source.labels[“app”] and destination.service.host == “example.com”, it work with k8s service, but not serviceentry.

Current policy is checked on inbound traffic, so access external service not check policy.

As Mixer has been deprecated in 1.5, please consider using authorization policy to allow/deny requests. Thank you, and reach out if you have any questions.

I have not use Istio 1.5, and i’v tried authorization policy but failed.
But I know Kubernetes Network Policy can do this.

We have open-sourced an example repository which demonstrates a possible solution for this use case. For more details, check out the related blog post.