Hello, I am using istio 1.8. I have a single Gateway with 10+ virtual services attached to it, each with a routing rule that forwards traffic to different pods.
We need to block all http requests to a service called “service-core” except from within the kubernetes cluster, from a select namespaces AND from a certain IP ranges.
This is what I’ve come up with
I have istio enabled on all namespaces mentioned below. The intention is to make sure that only the allowed namespaces can communicate with the workload and allowed IP ranges.
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
namespace: dit
name: core-config-allow
spec:
selector:
matchLabels:
app: service-core
action: DENY
rules:
- from:
- source:
notNamespaces: ["ns1", "ns2", "ns-system", "istio-system"]
- from:
- source:
notIpBlocks: ["172.23.0.0/16"]
When applying this, I get “RBAC: access denied” from both an IP address outside of that range and also the same error when I access the workload from “ns1”.
I checked the official documentation of authorization, however I don’t see this is working on my cluster. Is there anything wrong with the above?