Enforce the Ingress Policy

You can see the following policy is automatically installed when you add the Emissary-Ingress Gateway System through Policy > Ingress.

The client-load application is installed along with the sample-app and repeatedly executes the following HTTP calls in an interval of 15 seconds, pretending to be different users to help generate sample data for visualization.

curl -isk --user alice:password edge-stack/finance/salary/alice
curl -isk --user bob:password edge-stack/finance/salary/alice
curl -isk --user bob:password edge-stack/finance/salary/charlie
curl -isk --user david:password edge-stack/finance/salary/bob
curl -isk --user david:password edge-stack/hr/dashboard
curl -isk --user eve:password edge-stack/admin

By default, ingress policy allows all traffic to the sample application service. Click on the Decisions tab to verify all the Allowed decisions from the newly created Emissary-Ingress Gateway System.

The Emissary-Ingress Gateway System Quick Start provides a link to replace ingress policy with a sample one. With this ingress policy published, traffic is allowed only on /finance/salary endpoint of sample-app. Switch to the Decisions tab and verify traffic to path /hr/dashboard and /admin are Denied.