Authorization Policy IP allow/deny not working on services different than ingress-gateway

hleal18 · August 10, 2020, 5:49pm

Got and example working successfully using EnvoyFilters, specifically with remote_ip condition applied on httbin.

Sharing the manifest for reference.

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpbin
  namespace: foo
spec:
  workloadSelector:
    labels:
      app: httpbin
  configPatches:
    - applyTo: HTTP_FILTER
      match:
        context: SIDECAR_INBOUND
        listener:
          filterChain:
            filter:
              name: "envoy.http_connection_manager"
              subFilter:
                name: "envoy.router"
      patch:
        operation: INSERT_BEFORE
        value:
          name: envoy.filters.http.rbac 
          config:
            rules:
              action: ALLOW
              policies:
                "ip-premissions":
                  permissions:
                    - any: true
                  principals:
                    - remote_ip:
                        address_prefix: 186.168.165.52
                        prefix_len: 32

Topic		Replies	Views
Ingress gateway IP whitelist with AuthorizationPolicy	7	3603	March 11, 2020
Problem: Limit access to a gateway by using authorization policy together with ipBlocks Networking	0	580	April 16, 2020
Authorizationpolicy does not work	1	653	March 6, 2020
Authorization Policy not filtering traffic towards my service Networking security	3	856	February 15, 2022
Authorization Policy. Restrict access by IP-address Security	1	684	October 7, 2021

Authorization Policy IP allow/deny not working on services different than ingress-gateway

Related topics