Another AuthorizationPolicy Question - IP Whitelist for VirtualService

zeroweb · January 26, 2021, 9:11am

Hello, I am using istio 1.8. I have a single Gateway with 10+ virtual services attached to it, each with a routing rule that forwards traffic to different pods.

We need to block all http requests to a service called “service-core” except from within the kubernetes cluster, from a select namespaces AND from a certain IP ranges.

This is what I’ve come up with

I have istio enabled on all namespaces mentioned below. The intention is to make sure that only the allowed namespaces can communicate with the workload and allowed IP ranges.

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  namespace: dit
  name: core-config-allow
spec:
  selector:
    matchLabels:
      app: service-core
  action: DENY
  rules:
    - from:
        - source:
            notNamespaces: ["ns1", "ns2", "ns-system", "istio-system"]
    - from:
        - source:
            notIpBlocks: ["172.23.0.0/16"]

When applying this, I get “RBAC: access denied” from both an IP address outside of that range and also the same error when I access the workload from “ns1”.

I checked the official documentation of authorization, however I don’t see this is working on my cluster. Is there anything wrong with the above?

shankgan · January 27, 2021, 1:29am

Don’t see anything obviously wrong with the above policy. But just curious - since your goal was to whitelist communication to an app ONLY from a namespace or CIDR range, why not have an ALLOW policy and flip the NotNamespaces to Namespaces and notIPBlocks to IPBlocks?

HNadackal · February 1, 2021, 5:29pm

Is Mutual TLS enabled?

zeroweb · February 1, 2021, 6:20pm

Hi,

I actually tried the ALLOW at first, but for some reason it didn’t work. Then tested the DENY based on a search result, but didn’t work either. I posted the latest test here.

zeroweb · February 1, 2021, 6:21pm

It is the default istio installation so I believe it is enabled but not enforced. I can see the lock icon on kiali which confirms that mtls is enabled

YangminZhu · February 11, 2021, 8:55pm

The policy denies requests from source not in the given namespace OR not in the given IpBlocks.

Do you mean your request within the namespace (e.g. “ns1”) and also within the ipBlocks (e.g. “172.23.0.1”) still get denied? That is strange and I suggest to check the debug logging in envoy to verify the request: Istio / Security Problems

Topic		Replies	Views
Authorization Policies having unexpected results on istio-1.9.0 Networking security	1	487	February 23, 2021
Authorization Policy - ISTIO Security	6	929	July 2, 2020
AuthorizationPolicy and Namespaces Security	1	1996	February 21, 2020
AuthorizationPolicy whitelist IPs and internal traffic Security	1	302	August 8, 2023
Istio 1.6.4: Authorisation policy ALLOW is denying Security	9	944	August 10, 2020

Another AuthorizationPolicy Question - IP Whitelist for VirtualService

Related Topics