Denials and White/Black Listing (Deprecated)

Please use the Authorization Policy for enforcing access control to a workload.

This task shows how to control access to a service using simple denials, attribute-based white or black listing, or IP-based white or black listing.

Set up Istio on Kubernetes by following the instructions in the .

Policy enforcement must be enabled in your cluster for this task. Follow the steps in Enabling Policy Enforcement to ensure that policy enforcement is enabled.
Deploy the sample application.
Initialize the application version routing to direct service requests from test user “jason” to version v2 and requests from any other user to v3.

Zip

and then run the following command:
```
$ kubectl apply -f @samples/bookinfo/networking/virtual-service-reviews-jason-v2-v3.yaml@
```
If you are using a namespace other than default, use kubectl -n namespace ... to specify the namespace.

Simple denials

Using Istio you can control access to a service based on any attributes that are available within Mixer. This simple form of access control is based on conditionally denying requests using Mixer selectors.

Consider the sample application where the ratings service is accessed by multiple versions of the reviews service. We would like to cut off access to version v3 of the reviews service.

Point your browser at the Bookinfo productpage (http://$GATEWAY_URL/productpage).

If you log in as user “jason”, you should see black rating stars with each review, indicating that the ratings service is being called by the “v2” version of the reviews service.

If you log in as any other user (or logout) you should see red rating stars with each review, indicating that the ratings service is being called by the “v3” version of the reviews service.
Explicitly deny access to version v3 of the reviews service.

Run the following command to set up the deny rule along with a handler and an instance.

Zip
If you use Istio 1.1.2 or prior, please use the following configuration instead:
```
$ kubectl apply -f @samples/bookinfo/policy/mixer-rule-deny-label-crd.yaml@
```
Notice the following in the rule:
```
match: destination.labels["app"] == "ratings" && source.labels["app"]=="reviews" && source.labels["version"] == "v3"
```
It matches requests coming from the workload reviews with label v3 to the workload ratings.
Refresh the productpage in your browser.

If you are logged out or logged in as any user other than “jason” you will no longer see red ratings stars because the reviews:v3 service has been denied access to the ratings service. In contrast, if you log in as user “jason” (the reviews:v2 user) you continue to see the black ratings stars.

Istio supports attribute-based whitelists and blacklists. The following whitelist configuration is equivalent to the denier configuration in the previous section. The rule effectively rejects requests from version v3 of the reviews service.

Remove the denier configuration that you added in the previous section.

Zip

If you are using Istio 1.1.2 or prior:
```
$ kubectl delete -f @samples/bookinfo/policy/mixer-rule-deny-label-crd.yaml@
```
Verify that when you access the Bookinfo productpage (http://$GATEWAY_URL/productpage) without logging in, you see red stars. After performing the following steps you will no longer be able to see stars unless you are logged in as “jason”.

Apply configuration for the list adapter that white-lists versions :

$ kubectl apply -f @samples/bookinfo/policy/mixer-rule-deny-whitelist.yaml@

If you use Istio 1.1.2 or prior, please use the following configuration instead:

Zip

$ kubectl apply -f @samples/bookinfo/policy/mixer-rule-deny-whitelist-crd.yaml@

Verify that when you access the Bookinfo productpage (http://$GATEWAY_URL/productpage) without logging in, you see no stars. Verify that after logging in as “jason” you see black stars.

IP-based whitelists or blacklists

Istio supports whitelists and blacklists based on IP address. You can configure Istio to accept or reject requests from a specific IP address or a subnet.

Verify you can access the Bookinfo productpage found at http://$GATEWAY_URL/productpage. You won’t be able to access it once you apply the rules below.
Apply configuration for the list adapter that white-lists subnet "10.57.0.0\16" at the ingress gateway:
If you use Istio 1.1.2 or prior, please use the following configuration instead:

Zip
Try to access the Bookinfo productpage at http://$GATEWAY_URL/productpage and verify that you get an error similar to: PERMISSION_DENIED:staticversion.istio-system:<your mesh source ip> is not whitelisted

Remove the Mixer configuration for simple denials:

$ kubectl delete -f @samples/bookinfo/policy/mixer-rule-deny-label.yaml@

Zip

$ kubectl delete -f @samples/bookinfo/policy/mixer-rule-deny-whitelist.yaml@

If you are using Istio 1.1.2 or prior:

$ kubectl delete -f @samples/bookinfo/policy/mixer-rule-deny-whitelist-crd.yaml@

Remove the Mixer configuration for IP-based white- and blacklisting:

Zip
```
$ kubectl delete -f @samples/bookinfo/policy/mixer-rule-deny-ip.yaml@
```
If you are using Istio 1.1.2 or prior:

Remove the application routing rules:

Zip

$ kubectl delete -f @samples/bookinfo/networking/virtual-service-all-v1.yaml@
$ kubectl delete -f @samples/bookinfo/networking/virtual-service-reviews-jason-v2-v3.yaml@

If you are not planning to explore any follow-on tasks, refer to the Bookinfo cleanup instructions to shutdown the application.

Denials and White/Black Listing (Deprecated)

Denials and White/Black Listing (Deprecated)

Simple denials

IP-based whitelists or blacklists

See also