Hello, I am using istio 1.8. I have a single Gateway with 10+ virtual services attached to it, each with a routing rule that forwards traffic to different pods.
We need to block all http requests to a service called “service-core” except from within the kubernetes cluster, from a select namespaces AND from a certain IP ranges.
This is what I’ve come up with
I have istio enabled on all namespaces mentioned below. The intention is to make sure that only the allowed namespaces can communicate with the workload and allowed IP ranges.
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: namespace: dit name: core-config-allow spec: selector: matchLabels: app: service-core action: DENY rules: - from: - source: notNamespaces: ["ns1", "ns2", "ns-system", "istio-system"] - from: - source: notIpBlocks: ["172.23.0.0/16"]
When applying this, I get “RBAC: access denied” from both an IP address outside of that range and also the same error when I access the workload from “ns1”.
I checked the official documentation of authorization, however I don’t see this is working on my cluster. Is there anything wrong with the above?