Hello, I have the bookinfo experiment running on my multicluster shared multi-network topology. In this case, when i deploy authorization policies to make service calls cross clusters, the gateways will handle and automatically pass though the traffic. So out of curiosity, does istio provide additional authorization policies for the gateways to define rules to pass traffic across clusters?
Also, I notice some interesting options in
kubectl edit cm -n istio-system istio
but not clear on other options such as ingressControllerMode or outboundTrafficPolicy. is there documents explaining those options for access control between clusters? An ideal case will be filter traffic based on service or cluster or both. Please advise. Thanks!
So out of curiosity, does istio provide additional authorization policies for the gateways to define rules to pass traffic across clusters?
I’m not sure what you mean for additional authorization policies? The AuthorizationPolicy is supported on Istio Gateway just as Sidecars.
I notice some interesting options in
kubectl edit cm -n istio-system istio
but not clear on other options such asingressControllerModeoroutboundTrafficPolicy. is there documents explaining those options for access control between clusters
I think these are more for traffic control (e.g. routing, load balancing). It may be able to provide some level of access control but please be noted that it’s not designed/implemented/tested the same way we do for security policy (e.g. AuthorizationPolicy) and you’re at your own risk if you use it as security policy.
I’m not sure about the documentation about it (@Costin_Manolache, @rshriram probably should know more)