VirtualService Authorization / Delegation

I’m looking to use Istio Ingress in a cluster that I’m experimenting with, however one outstanding item that I’m not sure how to solve (or if it’s solvable today) in Istio is the ability to delegate the ownership of a subdomain to a given namespace, that way there are no concerns that two competing projects/namespaces can claim ownership of .

The best example of what I’m trying to accomplish that I could find is Heptio Contour where that allows you to define a root IngressRoute that delegates responsibility for a subdomain to a specific namespace.

Is this possible with Istio? I haven’t found anything in the documentation about this sort of set up yet.

Add @liminwang, @YangminZhu as the subject is related to Authorization.


You might want to ask this in the networking group and also take a look at the exportTo field in VirtualService API:

@YangminZhu Thanks, I’ll ask this there. The exportTo field doesn’t really satisfy what I’m looking for since that’s the VirtualService specifying what namespaces it should be exported to for visibility.

What I’m actually looking for is extremely similar to the hosts option for the Gateway resource where you can specify something like hello-world/ to only respect VirtualServices that reference from the namespace hello-world.

Basically I want that, but with paths in addition to the hostname. Imagine that you have an application that is built from many different micro-services distributed amongst many different teams all running under a single domain. I’d like to be able to delegate permissions for a particular hostname and path to a namespace to ensure that one team cannot mess with another team’s routes.