How to restricted access external service on special app

Policies and Telemetry
1

I want to limit some pod to access external service. two app A and B, A can access example.com, but B can’t access example.com. A and B in same namespace.
create the serviceentry for external service

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: example
spec:
  hosts:
  - example.com
  addresses:
  - 192.168.0.13
  ports:
  - number: 8888
    name: tcp-8888
    protocol: TCP
  - number: 443
    name: tcp-443
    protocol: TCP
  location: MESH_EXTERNAL
  exportTo:
    - .

create policy to limit pod label contain app is app1 can access this serviceentry

apiVersion: config.istio.io/v1alpha2
kind: handler
metadata:
  name: whitelist
spec:
  compiledAdapter: listchecker
  params:
    overrides:
      - app1
    blacklist: false

---
apiVersion: config.istio.io/v1alpha2
kind: instance
metadata:
  name: appname
spec:
  compiledTemplate: listentry
  params:
    value: source.labels["app"]

---
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
  name: checkapp
spec:
  match: destination.service.host == "example.com"
  actions:
  - handler: whitelist
    instances: [ appname ]

but it not work
istio 1.4.0 and kubernetes 1.14.4

2

I have the similar kind of request as well, Please let me know if you are able to solve this :slight_smile:

3

@wu0407: Were you able to solve this?
The approach looks right… Can you make sure from istio mixer logs that the values of your attributes source.labels["app"] and destination.service.host == "example.com" are the one’s you expect them to be?

4

yes,mixer logs has source.labels[“app”] and destination.service.host == “example.com”, it work with k8s service, but not serviceentry.

5

Current policy is checked on inbound traffic, so access external service not check policy.

6

As Mixer has been deprecated in 1.5, please consider using authorization policy to allow/deny requests. Thank you, and reach out if you have any questions.

7

I have not use Istio 1.5, and i’v tried authorization policy but failed.
But I know Kubernetes Network Policy can do this.

8

We have open-sourced an example repository which demonstrates a possible solution for this use case. For more details, check out the related blog post.