We can apply rules to outgoing services through the egress gateway to enable/disable access to external services. From a security standpoint, this is a nice capability that allows us to enforce rules outside the application framework. Let's take a look:
- Change the config map for mode: ALLOW_ANY to mode: REGISTRY_ONLY:
$ kubectl -n istio-system get cm istio -o yaml | sed 's/mode: ALLOW_ANY/mode: REGISTRY_ONLY/g' | kubectl replace -n istio-system -f -
configmap/istio replaced
- Now, double-check whether mode: REGISTRY_ONLY has been set:
$ kubectl -n istio-system get cm istio -o yaml | grep -m 1 -o "mode: REGISTRY_ONLY"
mode: REGISTRY_ONLY
- Wait a couple of seconds for the configuration to push down to the proxy sidecar.
By doing so, we have a reverse firewall for all of our microservices for outbound access. You will need to create ServiceEntry for external endpoints for services to access them.
- Repeat the curl test again for external services:
$ kubectl -n istio-lab exec -it -c ratings $RATING_POD -- curl -LI https://www.ibm.com | grep "HTTP/"
command terminated with exit code 35
$ kubectl -n istio-lab exec -it -c ratings $RATING_POD -- curl -LI https://www.cnn.com | grep "HTTP/"
command terminated with exit code 35
By using the preceding technique, it is possible to block access to external services from microservices.