Abort specification is used to prematurely abort a request with a pre-specified error code.
The following example will return an HTTP 400 error code for 1 out of every 1000 requests to the “ratings” service “v1”.
Istio Authorization Policy enables access control on workloads in the mesh.
Authorization policy supports CUSTOM, DENY and ALLOW actions for access control.
When CUSTOM, DENY and ALLOW actions are used for a workload at the same time,
the CUSTOM action is evaluated first, then the DENY action, and finally the ALLOW action.
The evaluation is determined by the following rules:
Describes the Cross-Origin Resource Sharing (CORS) policy,
for a given service. Refer to CORS for further details about cross origin resource sharing.
For example, the following rule restricts cross origin requests to those originating
from example.com domain using HTTP POST/GET, and sets the Access-Control-Allow-Credentials
header to false. In addition, it only exposes X-Foo-bar header and sets an expiry period of 1 day.
Delay specification is used to inject latency into the request forwarding path.
The following example will introduce a 5 second delay in 1 out of every 1000 requests
to the “v1” version of the “reviews” service from all pods with label env: prod.
Destination indicates the network addressable service to which the request/connection will be sent after
processing a routing rule. The destination.host should unambiguously refer to a service in the service
registry. Istio’s service registry is composed of all the services found in the platform’s service
registry (e.g., Kubernetes services, Consul services), as well as services declared through the
ServiceEntry resource.
Message headers can be manipulated when Envoy forwards requests to, or responses from, a destination service.
Header manipulation rules can be specified for a specific route destination or for all destinations.
HTTPFaultInjection can be used to specify one or more faults to inject while forwarding HTTP requests to the destination specified in a route.
Fault specification is part of a VirtualService rule. Faults include aborting the Http request from downstream service,
and/or delaying proxying of requests. A fault rule MUST HAVE delay or abort or both.
HttpMatchRequest specifies a set of criterion to be met in order for the rule to be applied to the HTTP request.
For example, the following restricts the rule to match only requests where the URL path starts with /ratings/v2/
and the request contains a custom end-user header with value jason.
HTTPRedirect can be used to send a 301 redirect response to the caller,
where the Authority/Host and the URI in the response can be swapped with the specified values.
For example, the following rule redirects requests for /v1/getProductRatings API on the ratings
service to /v1/bookRatings provided by the bookratings service.
HTTPRewrite can be used to rewrite specific parts of a HTTP request before forwarding the
request to the destination. Rewrite primitive can be used only with HTTPRouteDestination.
Each routing rule is associated with one or more service versions (see glossary in beginning of document).
Weights associated with the version determine the proportion of traffic it receives.
For example, the following rule will route 25% of traffic for the “reviews” service to instances with
the “v2” tag and the remaining traffic (i.e., 75%) to “v1”.
Sidecar describes the configuration of the sidecar proxy that mediates inbound and outbound communication to the
workload instance it is attached to. By default, Istio will program all sidecar proxies in the mesh with the necessary
configuration required to reach every workload instance in the mesh, as well as accept traffic on all the ports associated
with the workload. The Sidecar configuration provides a way to fine tune the set of ports, protocols that the proxy will accept
when forwarding traffic to and from the workload. In addition, it is possible to restrict the set of services that the proxy can
reach when forwarding outbound traffic from workload instances.
Describes match conditions and actions for routing TCP traffic.
The following routing rule forwards traffic arriving at port
27017 for mongo.prod.svc.cluster.local to another Mongo server on port 5555.