I’m trying to limit the ability to call an “internet” endpoint to a single service (account) in the mesh. I’ve got outboundPolicy set to REGISTRY_ONLY and have whitelisted certain DNS names with ServiceEntries. However this allows anyone to egress to them, and I’d like to restrict that to a single principal.
I can’t for the life of me work out how to do this, or even if it’s possible, but I’m probably just googling the wrong thing. This blog strongly implies that this is possible, but the follow-up with the details isn’t available:
This issue is the only source I can find that talks about this, and I would guess for v1alpha3 I’d just reference the SE as the “service” here?
However, even with RBAC set to “ON”, all services are allowed to egress, so clearly RBAC isn’t denying this by default - is there another step I need to take to get deny-by-default, then use the method above to selectively open (service, egress) pairs back up?