我想限制某些吊舱访问外部服务。 两个应用A和B,A可以访问example.com,但是B无法访问example.com。
创建外部服务的服务条目
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: example
spec:
hosts:
- example.com
addresses:
- 192.168.0.13
ports:
- number: 8888
name: tcp-8888
protocol: TCP
- number: 443
name: tcp-443
protocol: TCP
location: MESH_EXTERNAL
exportTo:
- .
创建限制Pod标签包含应用的策略,该应用是app1可以访问此服务条目
apiVersion: config.istio.io/v1alpha2
kind: handler
metadata:
name: whitelist
spec:
compiledAdapter: listchecker
params:
overrides:
- app1
blacklist: false
---
apiVersion: config.istio.io/v1alpha2
kind: instance
metadata:
name: appname
spec:
compiledTemplate: listentry
params:
value: source.labels["app"]
---
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
name: checkapp
spec:
match: destination.service.host == "example.com"
actions:
- handler: whitelist
instances: [ appname ]
但此设置无效