Integrate Istio with Open-Agent-Policy to demo service-mesh
you can use minikube to run k8s cluster
minikube start
- use istioctl to install Istio in k8s cluser:
istioctl install
reference: https://istio.io/latest/docs/setup/install/istioctl/ - apply sidecar and OPA policy etc.:
kubectl apply -f sidecar.yaml
- apply service a:
kubectl apply -f service-a.yaml
- apply service b:
kubectl apply -f service-b.yaml
- access service-a or service-b:
minikube service service-a --url http://127.0.0.1:52783 # it is port-forward docker container to localhost minikube service service-b --url http://127.0.0.1:52992
- testing service-a can access service-b:
curl http://127.0.0.1:52783/calling-service-b?name=serviceb
testing service-b can access service-a:curl http://127.0.0.1:52992/calling-service-a?name=servicea
each response code should be 200.
you can look at service-a main.go and service-b main.go code.
policy rule: when one service want to access the other service it should provide correct path and query string.
These are simple rules, just for demo.
package istio.authz
import input.attributes.request.http as http_request
default allow = false
allow {
http_request.method == "GET"
input.parsed_path == ["service-b-hello"]
input.parsed_query.name == ["serviceb"]
}
allow {
http_request.method == "GET"
input.parsed_path == ["service-a-hello"]
input.parsed_query.name == ["servicea"]
}