Enforce the Ingress Policy

You can see the following policy is automatically installed when you add the Emissary-ingress system:

• policy >> ingress

The client-load app installed along with the sample-app repeatedly executes the following HTTP calls in an interval of 15 seconds, pretending to be different users to help generate sample data for visualization.

curl -isk --user alice:password edge-stack/finance/salary/alice
curl -isk --user bob:password edge-stack/finance/salary/alice
curl -isk --user bob:password edge-stack/finance/salary/charlie
curl -isk --user david:password edge-stack/finance/salary/bob
curl -isk --user david:password edge-stack/hr/dashboard
curl -isk --user eve:password edge-stack/admin

By default, ingress policy allows all traffic to the sample application service. Click on the Decisions tab to verify all the Allowed decisions from the newly created Emissary Ingress system.

The Emissary-ingress system Quick Start provides a link to replace ingress policy with a sample one. With this ingress policy published, traffic is allowed only on /finance/salary endpoint of sample-app. Switch to the Decisions tab and verify traffic to path /hr/dashboard and /admin are Denied.