Enforce the Ingress Policy
The client-load application is installed along with the sample-app and executes the following HTTP calls in an interval of 15 seconds, pretending to be different users to generate sample data for visualization.
The following policies are automatically installed when you add an Istio System.
You can see the policies in place for your Istio System in the app, egress, and ingress folders.
- For the
apppolicy type, from your Istio System expand policy > app > rules.rego to see the application rules. - For the
egresspolicy type, from your Istio System expand policy > egress > rules.rego to see the egress rules. - For
ingresspolicy type, from your Istio System expand policy > ingress > rules.rego to see the ingress rules.
The client-load deployment repeatedly executes the following HTTP calls in an interval of 30 seconds, pretending to be different users to help generate sample data for visualization.
curl --user alice:password example-app/finance/salary/alice
curl --user bob:password example-app/finance/salary/alice
curl --user bob:password example-app/finance/salary/charlie
curl --user david:password example-app/finance/salary/bob
curl --user david:password example-app/hr/dashboard
curl --user eve:password example-app/admin
curl -is httpbin.org/anything;
By default, all policies allow traffic to the service with Istio proxy as sidecar container. Click on the Decisions tab to verify all decisions are Allowed for the newly created Istio System.
The Istio System Quick Start provides a link to replace the sample ingress policy. With this ingress policy published, example-app can receive ingress traffic only on the allowed list of endpoint /finance/salary. Switch to the Decisions tab and verify traffic to path /hr/dashboard and /admin are Denied.