Denying access

Now, we will create a rule to deny access to reviews:v3. To do this, follow these steps:

  1. Define a denier handler that will return status code seven and the message not allowed:
# Script : 08-create-denier-handler.yaml

apiVersion: "config.istio.io/v1alpha2"
kind: handler
metadata:
  name: denyreviewsv3handler
spec:
  compiledAdapter: denier
  params:
    status:
      code: 7
      message: Not allowed
  1. Now, create the denier handler:
$ kubectl -n istio-system apply -f 08-create-denier-handler.yaml
handler.config.istio.io/denyreviewsv3handler created

  1. Next, review the checknothing instance:
# Script : 09-create-check-nothing-instance.yaml

apiVersion: "config.istio.io/v1alpha2"
kind: instance
metadata:
  name: denyreviewsv3request
spec:
  compiledTemplate: checknothing
  1. Create a checknothing instance, which is nothing but a bridge between a handler and the rule:
$ kubectl -n istio-system apply -f 09-create-check-nothing-instance.yaml 
instance.config.istio.io/denyreviewsv3request created
  1. Define a deny rule that denies the services where applicable and implement it using a checknothing instance (denyreviewsv3request) through a deny handler (denyreviewsv3handler):
# Script : 10-create-denier-rule.yaml

apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
  name: denyreviewsv3
spec:
  match: destination.labels["app"] == "ratings" && source.labels["app"]=="reviews" && source.labels["version"] == "v3"
  actions:
  - handler: denyreviewsv3handler
    instances: [ denyreviewsv3request ]

In the preceding, pay attention to the match expression—which defines that if the source service is reviews:v3, then deny access to the destination, ratings.

  1. Create the deny rule for source services that match the app=reviews label and the destination service labeled as app=ratings with a subset set to v3:
$ kubectl -n istio-system apply -f 10-create-denier-rule.yaml 
rule.config.istio.io/denyreviewsv3 created

  1. Refresh https://bookinfo.istio.io/productpage.

Notice the message: Ratings service is currently not available. On the contrary, if you log in as the user jason, you will continue to see black stars as that is not coming under the denier rule. Note that if you log in as any user other than jason, you will encounter Ratings service is currently not available

  1. Finally, let's delete the denier rule for the next exercise for creating a white/blacklist:
$ kubectl -n istio-system delete -f 10-create-denier-rule.yaml 
rule.config.istio.io "denyreviewsv3" deleted

$ kubectl -n istio-system delete -f 09-create-check-nothing-instance.yaml 
instance.config.istio.io "denyreviewsv3request" deleted

$ kubectl -n istio-system delete -f 08-create-denier-handler.yaml 
handler.config.istio.io "denyreviewsv3handler" deleted

After learning about denier rule implementation for all except the logged-in user, jason, we will see the process of implementing white/blacklists to enforce deny rules based upon attributes as opposed to matching labels to identify source and destination service names.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.141.29.145