This task shows how to securely control access to a service, using the service accounts provided by Istio authentication.
When Istio mutual TLS authentication is enabled, the server authenticates the client according to its certificate, and obtains the client’s service account from the certificate. The service account is in the
source.user attribute. For the format of the service account in Istio, please refer to the Istio auth identity.
Deploy the BookInfo sample application.
Run the following command to create service account
bookinfo-productpage, and redeploy the service
productpage with the service account.
kubectl create -f <(istioctl kube-inject -f samples/bookinfo/kube/bookinfo-add-serviceaccount.yaml)
Note: if you are using a namespace other than
istioctl -n namespace ...to specify the namespace.
In the BookInfo sample application, the
productpage service is accessing both the
reviews service and the
details service. We would like the
details service to deny the requests from the
Point your browser at the BookInfo
You should see the “Book Details” section in the lower left part of the page, including type, pages, publisher, etc. The
productpage service obtains the “Book Details” information from the
Explicitly deny the requests from
Run the following command to set up the deny rule along with a handler and an instance.
istioctl create -f samples/bookinfo/kube/mixer-rule-deny-serviceaccount.yaml
You can expect to see the output similar to the following:
Created config denier/default/denyproductpagehandler at revision 2877836 Created config checknothing/default/denyproductpagerequest at revision 2877837 Created config rule/default/denyproductpage at revision 2877838
Notice the following in the
match: destination.labels["app"] == "details" && source.user == "spiffe://cluster.local/ns/default/sa/bookinfo-productpage"
It matches requests coming from the serivce account “spiffe://cluster.local/ns/default/sa/bookinfo-productpage” on the
Note: If you are using a namespace other than
default, replace the
defaultwith your namespace in the value of
This rule uses the
denier adapter to deny these requests. The adapter always denies requests with a pre-configured status code and message. The status code and message are specified in the denier adapter configuration.
productpage in your browser.
You will see the message
“Error fetching product details! Sorry, product details are currently unavailable for this book.”
in the lower left section of the page. This validates that the access from
details is denied.
Remove the mixer configuration:
istioctl delete -f samples/bookinfo/kube/mixer-rule-deny-serviceaccount.yaml
If you are not planning to explore any follow-on tasks, refer to the BookInfo cleanup instructions to shutdown the application.