We'll block access to the Hello World service by adding the mixer-rule-denial.yaml rule shown below:
# Create a denier that returns a google.rpc.Code 7 (PERMISSION_DENIED)
apiVersion: "config.istio.io/v1alpha2"
kind: denier
metadata:
name: denyall
namespace: istio-system
spec:
status:
code: 7
message: Not allowed
---
# The (empty) data handed to denyall at run time
apiVersion: "config.istio.io/v1alpha2"
kind: checknothing
metadata:
name: denyrequest
namespace: istio-system
spec:
---
# The rule that uses denier to deny requests to the helloworld service
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: deny-hello-world
namespace: istio-system
spec:
match: destination.service=="helloworld-service.default.svc.cluster.local"
actions:
- handler: denyall.denier
instances:
- denyrequest.checknothingistioctl create -f guestbook/mixer-rule-denial.yamlVerify that access is now denied:
curl http://$INGRESS_IP/hello/world# The rule that uses denier to deny requests to version 2.0 of the helloworld service
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: deny-hello-world
namespace: istio-system
spec:
match: destination.service=="helloworld-service.default.svc.cluster.local" && destination.labels["version"] == "2.0"
actions:
- handler: denyall.denier
instances:
- denyrequest.checknothingSet the mobile ingress rule to route to v2 of the helloworld service.
kubectl create -f guestbook/route-rule-user-mobile.yamlistioctl delete -f guestbook/mixer-rule-denial.yaml
istioctl create -f guestbook/mixer-rule-denial-v2.yamlYou should not be able to access v2:
curl http://$INGRESS_IP/hello/world -A mobileDelete mobile routing ingress rule.
kubectl delete -f guestbook/route-rule-user-mobile.yamlEnsure that that you can access the v1 service:
curl http://$INGRESS_IP/hello/worldClean up the rule:
istioctl delete -f guestbook/mixer-rule-denial-v2.yaml