Sometimes there are requirements to allow traffic out of service mesh by projects. For example, only services in a specified project are allowed to communicate with specified external systems.
I was exploring using the “exportTo” field in ServiceEntry [1] to control this. Just would like to share how this is being implemented with Red Hat Service Mesh. The steps listed here are based on Openshift 4.6.
Please refer to https://istio.io/v1.6/docs/reference/config/networking/service-entry/ for details.
The below diagram shows the services set up for this use case. https://restcountries.eu/ is the external system to get country name based on country abbreviation. The backend services are the same and deployed separately in both projects. Please note that this design is to illustrate this use case only. The respective frontend services will call the backend service in its own project.
Below is the graph in Kiali before configuring service mesh for this use case.
By default, there is no restriction for accessing external services in the service mesh. You can change this behavior by updating the outbound traffic policy to REGISTRY_ONLY in the “istio-basic” configmap.
Please refer to https://access.redhat.com/solutions/5355951 to change the outbound traffic policy from ALLOW_ANY to REGISTRY_ONLY or execute the command below.
oc get configmap istio-basic -n istio-system -o yaml \
| sed ‘s/mode: ALLOW_ANY$/mode: REGISTRY_ONLY/g’ \
| oc replace -n istio-system -f -
After invoking the services a few times, the Kiali graph will be updated as below.
Please note that PassThroughCluster and BlackHoleCluster are virtual clusters that are created when the control plane is configured with ALLOW_ANY mode and REGISTRY_ONLY mode respectively.
Let’s create a ServiceEntry as shown below to allow external access to https://restcountries.eu/ from user1-common project only.
“exportTo” field of lines 9–10 restricts the visibility to the current project.
After invoking the services a few times, the Kiali graph will be updated as below.
Let’s update the ServiceEntry as below to allow external access to https://restcountries.eu/ from user1-common and user1-project1 projects. Please note the updates to the “exportTo” field.
After invoking the services a few times, the Kiali graph will be updated as below.
[1] : With Service Entry, you can control the traffic going out of service mesh and you can also apply Istio policies to control behavior of outgoing traffic e.g. timeout.
https://istio.io/v1.6/docs/reference/config/networking/service-entry/
