Chapter 7. Security
Istio’s security capabilities are evolving quickly, and as of this writing, the Access Control List (ACL) is one of the primary tools to inject security constructs into the application with zero impact to the actual programming logic. In this chapter, we explore the concepts of blacklist and whitelist.
Blacklist
Let’s begin with the concept of the blacklist, conditionally denying requests using Mixer selectors. The blacklist is explicit denials of particular invocation paths. In the example that follows, we want to explicitly close the route from customer to preference. In this case, any requests from the customer to preference would return the HTTP error 403 Forbidden. Establishing this requires the use of three different kinds of Istio-mixer configurations: denier, checknothing, and rule:
apiVersion: "config.istio.io/v1alpha2"
kind: denier
metadata:
name: denycustomerhandler
spec:
status:
code: 7
message: Not allowed
---
apiVersion: "config.istio.io/v1alpha2"
kind: checknothing
metadata:
name: denycustomerrequests
spec:
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: denycustomer
spec:
match: destination.labels["app"] == "preference" &&
source.labels["app"]=="customer"
actions:
- handler: denycustomerhandler.denier
instances: [ denycustomerrequests.checknothing ]
You use istioctl to establish the denier-checknothing-rule:
istioctl create -f istiofiles/acl-blacklist.yml -n tutorial
Next, attempt to curl the customer endpoint:
curl customer-tutorial.$(minishift ...
Get Introducing Istio Service Mesh for Microservices now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
