How to restricted access external service on special app

I want to limit some pod to access external service. two app A and B, A can access example.com, but B can’t access example.com. A and B in same namespace.
create the serviceentry for external service

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: example
spec:
  hosts:
  - example.com
  addresses:
  - 192.168.0.13
  ports:
  - number: 8888
    name: tcp-8888
    protocol: TCP
  - number: 443
    name: tcp-443
    protocol: TCP
  location: MESH_EXTERNAL
  exportTo:
    - .

create policy to limit pod label contain app is app1 can access this serviceentry

apiVersion: config.istio.io/v1alpha2
kind: handler
metadata:
  name: whitelist
spec:
  compiledAdapter: listchecker
  params:
    overrides:
      - app1
    blacklist: false

---
apiVersion: config.istio.io/v1alpha2
kind: instance
metadata:
  name: appname
spec:
  compiledTemplate: listentry
  params:
    value: source.labels["app"]

---
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
  name: checkapp
spec:
  match: destination.service.host == "example.com"
  actions:
  - handler: whitelist
    instances: [ appname ]

but it not work
istio 1.4.0 and kubernetes 1.14.4

I have the similar kind of request as well, Please let me know if you are able to solve this :slight_smile: