Virtual service is not working as expected

6/19/2019

I have one cluster with 3 pods and 3 services (first, second and third).

my services are:

aks-helloworld-first cluster ip:10.67.251.251
aks-helloworld-sec cluster ip:10.67.248.67                                       
aks-helloworld-third cluster ip: 10.67.240.154

the pods are:

aks-helloworld-first selector:app=helloworld-first
aks-helloworld-sec  selector: app=helloworld-sec
aks-helloworld-third   selector: app=helloworld-third

I added the following virtual service:

kind: VirtualService
metadata:
  name: aks-helloworld-first-route
spec:
  hosts:
  - aks-helloworld-first
  http:
  - match:
    - sourceLabels:
        app: helloworld-third
    route:
    - destination:
        host: aks-helloworld-first

I expected to be able to access to "first" only through "third". But when trying to access to "first" through "second" I was able to do it as well.

I run kubectl exec to the "second" pod and run: curl -v http://10.67.251.251 I was able to access the "first" pod

What am I missing?

-- inza
istio
kubernetes

1 Answer

7/3/2019

Virtual Service is a set of rules for routing external traffic.

It seems, that you want to isolate one pod from another. And for this you might need to set up NetworkPolicy

By default, all pods are non-isolated; they accept traffic from any source. That's why

I run kubectl exec to the "second" pod and run: curl -v http://10.67.251.251 I was able to access the "first" pod

Pods become isolated by having a NetworkPolicy that selects them.

For example, to accomplish

access to "first" only through "third"

You'll need this NetworkPolicy

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: default
spec:
  podSelector:
    matchLabels:
      app: helloworld-first
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: helloworld-third
    ports:
    - my-http
-- A_Suh
Source: StackOverflow