使用 istio 是否可以为使用定义的服务网格外部的服务创建内部别名ServieEntry并控制对外部服务的访问?
例如假设我有一个服务条目
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: mypgsql
namespace: externalapps
spec:
hosts:
- mypgsql.example.com
location: MESH_EXTERNAL
ports:
- number: 5432
protocol: TCP
resolution: DNS
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: default-deny
namespace: externalapps
spec:
selector:
... How would I select the service entry ...
我可以在引用 mypsql 服务条目的应用程序命名空间中创建另一个服务条目或其他资源吗?
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: dbsvc
namespace: someapp
spec:
hosts:
- mypsql.externalapps
location: MESH_EXTERNAL
ports:
- number: 5432
protocol: TCP
resolution: DNS
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: default-deny-db
namespace: someapp
spec:
selector:
... How would I select the dbsvc service entry ...
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-backend-to-db
namespace: someapp
spec:
selector:
... How would I select the dbsvc service entry ...
action: ALLOW
rules:
- from:
- source:
principals:
- app_backend