Control Headers and Routing

    Policy enforcement must be enabled in your cluster for this task. Follow the steps in to ensure that policy enforcement is enabled.

    • Follow the set-up instructions in the ingress task to configure an ingress using a gateway.

    • Customize the configuration for the service containing two route rules that allow traffic for paths /headers and/status:

    In this task, we are using a sample policy adapter keyval. In addition toa policy check result, this adapter returns an output with a single fieldcalled value. The adapter is configured with a lookup table, which it uses topopulate the output value, or return NOT_FOUND error status if the inputinstance key is not present in the lookup table.

    • Deploy the demo adapter:
    1. $ kubectl run keyval --image=gcr.io/istio-testing/keyval:release-1.1 --namespace istio-system --port 9070 --expose
    • Enable the keyval adapter by deploying its template and configuration descriptors:

    Zip

    1. $ kubectl apply -f @samples/httpbin/policy/keyval-template.yaml@
    2. $ kubectl apply -f @samples/httpbin/policy/keyval.yaml@
    • Create a handler for the demo adapter with a fixed lookup table:
    • Create an instance for the handler with the user request header as a lookup key:
    1. $ kubectl apply -f - <<EOF
    2. apiVersion: config.istio.io/v1alpha2
    3. kind: instance
    4. metadata:
    5.   name: keyval
    6.   namespace: istio-system
    7. spec:
    8.   params:
    9.     key: request.headers["user"] | ""
    10. EOF
    • Ensure the httpbin service is accessible through the ingress gateway:
    2. {
    3.   "headers": {
    4.     "Accept": "*/*",
    5.     "Content-Length": "0",
    6.     ...
    7.     "X-Envoy-Internal": "true"
    8.   }
    9. }

    The output should be the request headers as they are received by the httpbin service.

    • Create a rule for the demo adapter:
    • Issue a new request to the ingress gateway with the header key set to value jason:
    1. $ curl -Huser:jason http://$INGRESS_HOST:$INGRESS_PORT/headers
    2. {
    3.   "headers": {
    4.     "Accept": "*/*",
    5.     "Content-Length": "0",
    6.     "User": "jason",
    7.     "User-Agent": "curl/7.58.0",
    8.     ...
    9.     "X-Envoy-Internal": "true"
    10.   }

    Note the presence of the user-group header with the value derived from therule application of the adapter. The expression x.output.value in the ruleevaluates to the populated value field returned by the keyval adapter.

    • Modify the rule to rewrite the URI path to a different virtual service routeif the check succeeds:
    1. $ kubectl apply -f - <<EOF
    2. apiVersion: config.istio.io/v1alpha2
    3. kind: rule
    4. metadata:
    5.   name: keyval
    6.   namespace: istio-system
    7. spec:
    8.   match: source.labels["istio"] == "ingressgateway"
    9.   actions:
    10.   - handler: keyval.istio-system
    11.     instances: [ keyval ]
    12.   requestHeaderOperations:
    13.   - name: :path
    14.     values: [ '"/status/418"' ]
    15. EOF
    • Repeat the request to the ingress gateway:

    The modified request is not checked again by the policy engine within thesame proxy. Therefore, we recommend to use this feature in gateways, sothat the server-side policy checks take effect.

    Delete the policy resources for the demo adapter:

    1. $ kubectl delete rule/keyval handler/keyval instance/keyval adapter/keyval template/keyval -n istio-system

    Complete the clean-up instructions in ingress task.

    Using Istio to secure multi-cloud Kubernetes applications with zero code changes.

    Mixer and the SPOF Myth

    Improving availability and reducing latency.

    Provides an overview of Mixer's plug-in architecture.

    Shows how to control access to a service using simple denials or white/black listing.

    Enabling Policy Enforcement

    This task shows you how to enable Istio policy enforcement.

    This task shows you how to use Istio to dynamically limit the traffic to a service.