We have an application with several services running in k8s. We want to move them into Istio mesh with mTLS, in which case they all can communicate with each other (until here it is tested). Now, I need to restrict some services within the mesh to only be able to talk to one service. Trying to talk to other services that are not authorized, should be blocked. Is this possible?
Since I have no way to configure the "source" of the request, and within the mesh anyone can talk to anyone, I can't do this.
Isn't "Micro-Segmentation with Istio Authorization" what you are looking for, especially under 'Combinations of Attributes' you have different ways of segmentation, based on source.namespace, source.principal. Have seen few demos showcasing these features, not played with them personally though
Istio can control access to a service based on any attributes that are available within Mixer. So what you are looking for is Mixer denier adapter - sample denials
e.g.:
"deny all invoke from server1(s1) to server2(s2)"
apiVersion: "config.istio.io/v1alpha2"
kind: handler
metadata:
name: denyotherserverhandler
spec:
compiledAdapter: denier
params:
status:
code: 7
message: Not allowed
---
apiVersion: "config.istio.io/v1alpha2"
kind: instance
metadata:
name: denyotherserverrequest
spec:
compiledTemplate: checknothing
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: denyotherserverrule
spec:
match: destination.labels["app"] == "s2" && source.labels["app"]=="s1"
actions:
- handler: denyotherserverhandler
instances: [ denyotherserverrequest ]Istio 1.1+ includes a new Sidecar resource that can be used to configure the envoy sidecar proxy of your services. You should be able to configure egress from your services so that they can only access the one service that they're allowed to call.