Currently our GKE cluster consists of multiple services running in different namespace, each svc communicate with each other too. We're using:
Right now, I also want to incorporate Istio security policy to enforce security of svc-to-svc communication. I've understand basic concept of it. Now, my case is how put service policy to what repo.
For example: given that I have service A (client) communicating with Service B (server). Istio has 3 different kind of policy enforcement:
Since our gke cluster is still in the early stage of using Istio and I want to have little effort on central governance, I prefer to adopt service specific policy, so each service owner can govern the policy too.
I am thinking to put:
Policy (service specific policy) in each service repo who acts as a server. The reasoning behind this is Policy is enforcing incoming trafficPolicy to the service (not the outcoming).But I am wondering how about the DestinationRule? From article Istio provides here
To configure the client side, you need to set destination rules to use mutual TLS. I
From quote above, I get the understanding that DestinationRule is the one who enforce the client side (who has istio side car container). So DestionationRule should be put on client service repo (in the given case, it is on Service A repo).
But of course, in the server side (service B repo), the team also want to have a certain load balancing and split traffic mechanism (canary, stable, versioning, etc), which can only be defined by VirtualService and DestionationRule.
Any thought about this? Does anyone has general pattern/approach on designing this policy manifest (istio yaml file) around service in a repository?