This task shows how to use Istio to control access to a service.
Setup Istio by following the instructions in the Installation guide.
Deploy the BookInfo sample application.
Initialize the application version routing to direct
reviews service requests from test user “jason” to version v2 and requests from any other user to v3.
istioctl create -f samples/apps/bookinfo/route-rule-reviews-test-v2.yaml istioctl create -f samples/apps/bookinfo/route-rule-reviews-v3.yaml
Note: if you have conflicting rule that you set in previous tasks, use
istioctl replaceinstead of
Using Istio you can control access to a service based on any attributes that are available within Mixer. This simple form of access control is based on conditionally denying requests using Mixer selectors.
Consider the BookInfo sample application where the
ratings service is accessed by multiple versions of the
reviews service. We would like to cut off access to version
v3 of the
Point your browser at the BookInfo
If you log in as user “jason”, you should see black ratings stars with each review, indicating that the
ratings service is being called by the “v2” version of the
If you log in as any other user (or logout) you should see red ratings stars with each review, indicating that the
ratings service is being called by the “v3” version of the
Explicitly deny access to version
v3 of the
istioctl mixer rule create global ratings.default.svc.cluster.local -f samples/apps/bookinfo/mixer-rule-ratings-denial.yaml
This command sets configuration for
subject=ratings.default.svc.cluster.local. You can display the current configuration with the following command:
istioctl mixer rule get global ratings.default.svc.cluster.local
which should produce:
rules: - aspects: - kind: denials selector: source.labels["app"]=="reviews" && source.labels["version"] == "v3"
This rule uses the
denials aspect to deny requests coming from version
v3 of the reviews service. The
denials aspect always denies requests with a pre-configured status code and message. The status code and the message is specified in the DenyChecker adapter configuration.
productpage in your browser.
If you are logged out or logged in as any user other than “jason” you will no longer see red ratings stars because the
reviews:v3 service has been denied access to the
ratings service. Notice, however, that if you log in as user “jason” (the
reviews:v2 user) you continue to see the black ratings stars.
Istio also supports attribute-based white and blacklists. Using a whitelist is a two step process.
Add an adapter definition for the
genericListChecker adapter that lists versions
- name: versionList impl: genericListChecker params: listEntries: ["v1", "v2"]
whitelist checking by using the
rules: aspects: - kind: lists adapter: versionList params: blacklist: false checkExpression: source.labels["version"]
checkExpression is evaluated and checked against the list
[v1, v2]. The check behavior can be changed to a blacklist by specifying
blacklist: true. The expression evaluator returns the value of the
version label as specified by the
The current version of
istioctl does not yet support pushing adapter configurations like the one in step 1. There is, however, a workaround that you can use if you want to try it out anyway.
Remove the mixer configuration rule:
istioctl mixer rule delete global ratings.default.svc.cluster.local
Remove the application routing rules:
istioctl delete -f samples/apps/bookinfo/route-rule-reviews-test-v2.yaml istioctl delete -f samples/apps/bookinfo/route-rule-reviews-v3.yaml