See the overview of Mixer at istio.io.
-
Block access to the Hello World service.
istioctl create -f guestbook/mixer-rule-denial.yaml
This creates the
mixer-rule-denial.yamlrule:# Create a denier that returns a google.rpc.Code 7 (PERMISSION_DENIED) apiVersion: "config.istio.io/v1alpha2" kind: denier metadata: name: denyall namespace: istio-system spec: status: code: 7 message: Not allowed --- # The (empty) data handed to denyall at run time apiVersion: "config.istio.io/v1alpha2" kind: checknothing metadata: name: denyrequest namespace: istio-system spec: --- # The rule that uses denier to deny requests to the helloworld service apiVersion: "config.istio.io/v1alpha2" kind: rule metadata: name: deny-hello-world namespace: istio-system spec: match: destination.service=="helloworld-service.default.svc.cluster.local" actions: - handler: denyall.denier instances: - denyrequest.checknothing
-
Verify that access is now denied.
curl http://$INGRESS_IP/hello/world -
Clean up the rule.
istioctl delete -f guestbook/mixer-rule-denial.yaml
-
Block access to only v2 of the Hello World service deployment.
istioctl create -f guestbook/mixer-rule-denial-v2.yaml
This creates the
mixer-rule-denial-v2.yamlrule:# The rule that uses denier to deny requests to version 2.0 of the helloworld service apiVersion: "config.istio.io/v1alpha2" kind: rule metadata: name: deny-hello-world namespace: istio-system spec: match: destination.service=="helloworld-service.default.svc.cluster.local" && destination.labels["version"] == "2.0" actions: - handler: denyall.denier instances: - denyrequest.checknothing
-
Verify that you can access the v1 service:
curl http://$INGRESS_IP/hello/world -
Verify that access to v2 is denied:
curl http://$INGRESS_IP/hello/world -A mobile -
Clean up the rule.
istioctl delete -f guestbook/mixer-rule-denial-v2.yaml istioctl delete -f guestbook/route-rule-canary.yaml istioctl delete -f guestbook/route-rule-user-agent-chrome.yaml (Only if you applied the rule)