使用 istio 是否可以為使用 a 定義的服務網格外部的服務建立內部別名ServieEntry並控制對外部服務的存取?
例如假設我有一個服務條目
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: mypgsql
namespace: externalapps
spec:
hosts:
- mypgsql.example.com
location: MESH_EXTERNAL
ports:
- number: 5432
protocol: TCP
resolution: DNS
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: default-deny
namespace: externalapps
spec:
selector:
... How would I select the service entry ...
我可以在引用 mypsql 服務條目的應用程式命名空間中建立另一個服務條目或其他資源嗎
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: dbsvc
namespace: someapp
spec:
hosts:
- mypsql.externalapps
location: MESH_EXTERNAL
ports:
- number: 5432
protocol: TCP
resolution: DNS
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: default-deny-db
namespace: someapp
spec:
selector:
... How would I select the dbsvc service entry ...
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-backend-to-db
namespace: someapp
spec:
selector:
... How would I select the dbsvc service entry ...
action: ALLOW
rules:
- from:
- source:
principals:
- app_backend