I want to limit some pod to access external service. two app A and B, A can access example.com, but B can’t access example.com. A and B in same namespace.
create the serviceentry for external service
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: example
spec:
hosts:
- example.com
addresses:
- 192.168.0.13
ports:
- number: 8888
name: tcp-8888
protocol: TCP
- number: 443
name: tcp-443
protocol: TCP
location: MESH_EXTERNAL
exportTo:
- .
create policy to limit pod label contain app is app1 can access this serviceentry
apiVersion: config.istio.io/v1alpha2
kind: handler
metadata:
name: whitelist
spec:
compiledAdapter: listchecker
params:
overrides:
- app1
blacklist: false
---
apiVersion: config.istio.io/v1alpha2
kind: instance
metadata:
name: appname
spec:
compiledTemplate: listentry
params:
value: source.labels["app"]
---
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
name: checkapp
spec:
match: destination.service.host == "example.com"
actions:
- handler: whitelist
instances: [ appname ]
but it not work
istio 1.4.0 and kubernetes 1.14.4