Trying to find the best way for blocking any connection from the internet to a k8s service using Istio.
What would be the best choice from Istio's policies?
Mixer - denials or lists Pilot - route-rules - such as injecting abort fault (400) OR destination-policy - such as circuit-breaking (max connection 0???)
Tried all the above but nothing is working and few of them are not very intuitive to configure (and not well-documented).
Appreciate if a working example will be attached
The following is an example for Injecting HTTP fault policy.
destination: "ratings.default.svc.cluster.local"
route:
- tags:
version:
httpFault:
abort:
percent: 100
httpStatus: 400
httpStatus: 400
First, Istio asks for a "type":
Error: Istio doesn't have configuration type , the types are destination-policy, ingress-rule, route-rule
After adding the type manually:
type: route-rule
destination: "ratings.default.svc.cluster.local"
route:
- tags:
version:
httpFault:
abort:
percent: 100
httpStatus: 400
It shouts about the method:
I0914 17:44:32.417839 1003 request.go:991] Response Body: 405: Method Not Allowed Error: the server does not allow this method on the requested resource
Thanks
Found out that Istio's route-rules apply only when the two connection's endpoints (client pod and server pod), are equipped with Envoys.
This is by itself something that should be further investigated as it doesn't make any sense.
Traffic coming from outside of the cluster indeed needs to be controlled by ingress.