Authorization Policy not filtering traffic towards my service

Prisco_Farina · February 15, 2022, 8:02pm

Hi guys, I am facing some issue trying to configure istio AuthorizationPolicy in order to ALLOW traffic on specific endpoints from specific source IP

This is my scenario:
I have two services running on the k8s cluster and I want to limit that incoming traffic, so I have seen I could define something like this, using istio


# Source: ingest-chart/templates/authorization_policy.yaml
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: authorization-policy-docs-ingest
  namespace: istio-system
spec:
  action: ALLOW
  rules: # traffic coming from AKAMAI from specified IPs can execute requests towards defined PATH
  - from:
    - source:
        remoteIpBlocks: 
        - "myip/32"
    to:
    - operation:
        methods:
        - POST
        paths:
        - "*/myendpoint"
  - from:
    to:
    - operation:
        methods:
        - GET
        - POST
        - DELETE
        - PUT
        notPaths:
        - "*/myendpoint"
  selector:
    matchLabels:
      app: myservice

Is it correct to say that the previous rule permits any request coming from myip towards */myendpoint and permits any other kind of traffic towards the other endpoints (not having */myendpoing path towards my service)?

Since the incoming traffic passes through AKAMAI I set the :

podAnnotations:
proxy.istio.io/config: ‘{“gatewayTopology” : { “numTrustedProxies”: 2 } }’
service:
externalTrafficPolicy: Local

x_forwarded_for
my_ip , AKAMAI_IP_1, AKAMAI_IP_2

Should any request come like listed so far be authorized using such kind of rule?

I have also tried doing in a different way filtering on the header than remoteIpBlock, but this doesn’t accept CIDR annotation and then I am forced to list all IP authorized, please correct me if I am wrong.

Example (maybe could be useful for others having the same problem):


  action: ALLOW
  rules:
  - from:
    to:
    - operation:
        methods:
        - POST
        paths:
        - '*/myendpoint'
    when:
    - key: request.headers[true-client-ip]
      values:                                       <--- This doesn't support CIDR annotation :-(

Looking to the following link it seems the correct behavior, but I would like to have a double-check with you.

Is it possible to apply CIDR annotation with checking based on the header?
Any help is really appreciated.
Thanks

kylebe · February 15, 2022, 11:37pm

Hi, for your original AuthorizationPolicy, make the selector apply to the ingress gateway, not your service. The ingress gateway is what sees your original client ip address.

Prisco_Farina · February 15, 2022, 11:43pm

Hi Kyle,
first of all thank you for the answer.

My problem is that if I apply that rule on the ingress I am not able than to differentiate traffic coming for one service than another.

Am I wrong?

kylebe · February 15, 2022, 11:54pm

Try to add a when clause to your policy to match on the Host header:

    when:
    - key: request.headers[Host]
      values: ["something.example.com"]

(in addition to applying it to the ingress gateway)

Topic		Replies	Views
Authorization Policy IP allow/deny not working on services different than ingress-gateway Security security	5	5372	August 10, 2020
Need help to add authorization policy to filter internal and external calls Security	5	1297	July 13, 2023
AuthorizationPolicy whitelist IPs and internal traffic Security	1	482	August 8, 2023
Ingress gateway IP whitelist with AuthorizationPolicy	7	3575	March 11, 2020
Restricting access from one workload to other workload in the same mesh Security	2	548	December 12, 2022

Authorization Policy not filtering traffic towards my service

Related topics