我们有一个api服务,只能由特定的Istio网关/虚拟服务访问。
这可以通过istio的AuthorizationPolicy来实现吗?
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: deny-all
namespace: selfserviceportal
spec:
{}
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: api-server-svc
namespace: selfserviceportal
spec:
rules:
- from:
- source:
# How do I reference the istio gateway/virtual service here?
to:
- operation:
methods:
- GET
selector:
matchLabels:
app: api-server-svc
这是应该允许的网关:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: api-server-gateway
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "ssp-api-server.internalroot.net"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: api-server-vservice
spec:
hosts:
- "ssp-api-server.internalroot.net"
gateways:
- api-server-gateway
http:
- match:
- uri:
prefix: /api
route:
- destination:
port:
number: 8000
host: api-server-svc