Before I begin, I’m fairly new to Kubernetes and Istio so please keep in mind that I might be overlooking something simple.
What I want:
To deny access to all pods in a namespace (testing) from all external IP’s.
What I’ve tried:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: “block-non-local-subnets”
namespace: testing
spec:
action: DENY
rules:
- from:
- source:
ipBlocks: [“0.0.0.0/0”]
notIpBlocks: [“19.40.0.0/16”]
- source:
After applying that, I could still access everything in my testing namespace. So I tried the example listed here:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: deny-all
namespace: testing
spec:
{}
Again, everything to the namespace is allowed. Here’s a line from Envoy’s log:
[2021-02-22T18:42:13.934Z] “GET /links/ HTTP/2” 304 - via_upstream - “-” 0 0 4 3 “my pc’s IP” …
(I can’t post the rest of this line because it has various IP’s and this site tells me that new users can’t post more than 4 links)
It does work if I put it in the istio-system namespace:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: “block-non-local-subnets”
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
action: DENY
rules:
- from:
- source:
notIpBlocks: [“192.168.15.0/24”, “10.200.200.0/24”, “192.168.5.0/24”]
- source:
But then this blocks all access across every namespace.