Apply an L4 access policy
Create a Layer 4 access policy that allows only the reviews app to access the ratings app.
-
Verify that you can access the ratings app from both the product page and reviews apps.
kubectl -n bookinfo debug -i pods/$(kubectl get pod -l app=productpage -A -o jsonpath='{.items[0].metadata.name}') --image=curlimages/curl -- curl -v http://ratings:9080/ratings/1 kubectl -n bookinfo debug -i pods/$(kubectl get pod -l app=reviews -A -o jsonpath='{.items[0].metadata.name}') --image=curlimages/curl -- curl -v http://ratings:9080/ratings/1Example output:
{"id":1,"ratings":{"Reviewer1":5,"Reviewer2":4}} -
Create an access policy that allows only the reviews app to access ratings.
kubectl apply -f- <<EOF apiVersion: security.policy.gloo.solo.io/v2 kind: AccessPolicy metadata: name: ratings-access namespace: bookinfo spec: applyToDestinations: - selector: labels: app: ratings config: authz: allowedClients: - serviceAccountSelector: name: bookinfo-reviews namespace: bookinfo EOF -
Try to access ratings from the product page app. Because the product page app is not listed as an allowed client in the access policy, access to ratings is denied. Note that because the access policy is enforced on Layer 4, no detailed error message is returned.
kubectl -n bookinfo debug -i pods/$(kubectl get pod -l app=productpage -A -o jsonpath='{.items[0].metadata.name}') --image=curlimages/curl -- curl -v http://ratings:9080/ratings/1Example output:
... * Recv failure: Connection reset by peer 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 * Closing connection curl: (56) Recv failure: Connection reset by peer -
Try to access the ratings app from the reviews app. Because the reviews app is listed as an allowed client, access to ratings is granted.
kubectl -n bookinfo debug -i pods/$(kubectl get pod -l app=reviews -A -o jsonpath='{.items[0].metadata.name}') --image=curlimages/curl -- curl -v http://ratings:9080/ratings/1Example output:
... * Connection #0 to host ratings left intact {"id":1,"ratings":{"Reviewer1":5,"Reviewer2":4}} -
Get the logs of the ztunnel again and verify that you can see an entry for the failed and successful request to ratings.
kubectl logs <ztunnel-pod-name> -n istio-systemExample output for the failed request from the product page app:
2023-08-02T19:39:13.798706Z INFO inbound{id=eb9f6e78ab08a3fb96eb010082a2bf86 peer_ip=10.44.2.12 peer_id=spiffe://cluster.local/ns/bookinfo/sa/bookinfo-productpage}: ztunnel::proxy::inbound: got CONNECT request to 10.44.1.13:9080 2023-08-02T19:39:13.798760Z INFO inbound{id=eb9f6e78ab08a3fb96eb010082a2bf86 peer_ip=10.44.2.12 peer_id=spiffe://cluster.local/ns/bookinfo/sa/bookinfo-productpage}: ztunnel::proxy::inbound: RBAC rejected conn=10.44.2.12(spiffe://cluster.local/ns/bookinfo/sa/bookinfo-productpage)->10.44.1.13:9080Example output for the successful request from the reviews app:
2023-08-02T19:39:22.763457Z INFO inbound{id=977e59e1b66f659a601a3daa0bd448c9 peer_ip=10.44.0.9 peer_id=spiffe://cluster.local/ns/bookinfo/sa/bookinfo-reviews}: ztunnel::proxy::inbound: got CONNECT request to 10.44.1.13:9080 2023-08-02T19:39:22.764892Z INFO access log: {"start_time":"2023-08-02T19:39:22.764130129Z","method":"GET","protocol":"HTTP/1.1","path":"/ratings/1","duration":{"secs":0,"nanos":651721},"response_code":200,"source_addr":"10.44.1.13:9080","destination_addr":"10.44.1.13"} -
Optional: Remove the access policy.
kubectl delete accesspolicy ratings-access -n bookinfo