Currently, I’m trying to allow/deny incoming traffic to a specific service according to the ip of the request.
The example on this page Authorization on Ingress gateway, where the usage of source.ipBlocks to allow/deny external incoming traffic worked as expected.
When that same authorization policy was now targeted to other pods on a different namespace, it stops working. The only way to make it work is by evaluating a specific
header[X-Envoy-External-Address] to the address I’m looking to block/allow. This is not an appropriate workaround as it doesn’t support CIDR.
This the authorizationpolicy I used on the first example which worked.
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: ingress-policy namespace: istio-system spec: selector: matchLabels: app: istio-ingressgateway action: DENY rules: - from: - source: ipBlocks: ["18.104.22.168"]
The authorization policy used on other namespace that didn’t work:
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: httpbin-policy namespace: foo spec: selector: matchLabels: app: httpbin action: DENY rules: - from: - source: ipBlocks: ["22.214.171.124"]
The configuration of
externalTrafficPolicy is already set to
local. When logging the istio-proxy on the specific pod, the origin IP is printed with its expected value whenever a new incoming request is received.
Is this the expected behavior or am I missing something?