Restrict access from one service to another

Good day!

We are thinking about deploying istio servie mesh in our cluster. One of the tasks is convinient way of restriction access from one service to another. In plain Kubernetes we can to it with Network Policies.
With what kind of object we can achieve it in istio?

Thank you!

Hi @reistlin,

In Istio you have a few options.

If you’re using Calico for Network Policy, you can use Calico’s integration with Istio to extend your existing Network Policy to the application layer.

Or, you can use Istio’s built-in authorization framework, which involves creating ServiceRole and ServiceRoleBinding objects.

Finally, you can use one of several Mixer adapters that allow you to enforce access control.

Hope that helps,
Spike

As @spikecurtis mentioned, one of the options is to use Istio authorization. You can try this task to see how it works https://istio.io/docs/tasks/security/authz-http/. Istio authorization is usually used with authentication. If you decide to use mTLS for your service to service communication (which you don’t need to change any code in your applications), you’ll also get encrypted communication out of the box.