白名單和黑名單是用來允許或禁止訪問Service Mesh中的微服務。目前Istio支援基於服務名、服務屬性以及IP地址的白名單和黑名單。

環境準備：我們在開始之前先確保環境和完成《OpenShift 4 之Istio-Tutorial (2) 部署三個微服務》一樣，只部署了3個微服務和VirtualService、Gateway，沒有DestinationRule。

白名單

只允許三個服務按照customer->preference->recommendation的方式訪問，即customer在能訪問preference的白名單中，而preference在能訪問recommendation的白名單中。

1. 檢視istiofiles/acl-whitelist.yml檔案。

apiVersion: "config.istio.io/v1alpha2"

kind: handler

metadata:

name: preferencewhitelist

spec:

compiledAdapter: listchecker

params:

overrides: ["preference"]

blacklist: false

---

apiVersion: "config.istio.io/v1alpha2"

kind: rule

metadata:

name: checkfrompreference

spec:

match: destination.labels["app"] == "recommendation"

actions:

- handler: preferencewhitelist

instances:

- appsource

---

apiVersion: "config.istio.io/v1alpha2"

kind: handler

metadata:

name: customerwhitelist

spec:

compiledAdapter: listchecker

params:

overrides: ["customer"]

blacklist: false

---

apiVersion: "config.istio.io/v1alpha2"

kind: rule

metadata:

name: checkfromcustomer

spec:

match: destination.labels["app"] == "preference"

actions:

- handler: customerwhitelist

instances:

- appsource

---

apiVersion: "config.istio.io/v1alpha2"

kind: instance

metadata:

name: appsource

spec:

compiledTemplate: listentry

params:

value: source.labels["app"]

2. 根據istiofiles/acl-whitelist.yml檔案建立物件。

$ oc create -f istiofiles/acl-whitelist.yml

handler.config.istio.io/preferencewhitelist created

rule.config.istio.io/checkfrompreference created

handler.config.istio.io/customerwhitelist created

rule.config.istio.io/checkfromcustomer created

instance.config.istio.io/appsource created

3. 進入執行customer微服務的Pod的容器，然後使用curl命令分別訪問preference和recommendation。可以看到無法從customer容器中訪問到recommendation服務，但是可以訪問preference服務。

$ oc exec -it $(oc get pods |grep customer|awk '{ print $1 }'|head -1) -c customer /bin/bash

bash-4.4$ curl preference:8080

preference => recommendation v1 from '67976848-4l4s7': 8366

bash-4.4$ curl recommendation:8080

PERMISSION_DENIED:preferencewhitelist.user1-tutorial:customer is not whitelistedbash-4.4$ exit

exit

$ oc delete -f istiofiles/acl-whitelist.yml

黑名單

不允許從customer到preference的訪問，即customer在能訪問preference的黑名單中。

1. 檢視istiofiles/acl-blacklist.yml檔案。

apiVersion: "config.istio.io/v1alpha2"

kind: handler

metadata:

name: denycustomerhandler

spec:

compiledAdapter: denier

params:

status:

code: 7

message: Not allowed

---

apiVersion: "config.istio.io/v1alpha2"

kind: instance

metadata:

name: denycustomerrequests

spec:

compiledTemplate: checknothing

---

apiVersion: "config.istio.io/v1alpha2"

kind: rule

metadata:

name: denycustomer

spec:

match: destination.labels["app"] == "preference" && source.labels["app"]=="customer"

actions:

- handler: denycustomerhandler

instances: [ denycustomerrequests ]

2. 執行命令建立從customer到preference的黑名單。

$ oc create -f istiofiles/acl-blacklist.yml

3. 執行命令進入執行customer服務的容器，然後訪問preference服務。可以看到提示PERMISSION_DENIED的錯誤，說明黑名單生效。

$ oc exec -it $(oc get pods |grep customer|awk '{ print $1 }'|head -1) -c customer /bin/bash

bash-4.4$ curl preference:8080

PERMISSION_DENIED:denycustomerhandler.user1-tutorial:Not allowed

bash-4.4$ exit

4. 執行命令進入執行recommendation服務的容器，然後訪問preference服務。可以看到訪問成功，這是由於在preference和recommendation之間沒有黑名單。

$ oc exec -it $(oc get pods |grep recommendation|awk '{ print $1 }'|head -1) -c recommendation /bin/bash

bash-4.2$ curl preference:8080

preference => recommendation v1 from '67976848-4l4s7': 8384

bash-4.4$ exit

$ oc delete -f istiofiles/acl-blacklist.yml