Authorization Policy not filtering traffic towards my service

Hi guys, I am facing some issue trying to configure istio AuthorizationPolicy in order to ALLOW traffic on specific endpoints from specific source IP

This is my scenario:
I have two services running on the k8s cluster and I want to limit that incoming traffic, so I have seen I could define something like this, using istio


# Source: ingest-chart/templates/authorization_policy.yaml
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: authorization-policy-docs-ingest
  namespace: istio-system
spec:
  action: ALLOW
  rules: # traffic coming from AKAMAI from specified IPs can execute requests towards defined PATH
  - from:
    - source:
        remoteIpBlocks: 
        - "myip/32"
    to:
    - operation:
        methods:
        - POST
        paths:
        - "*/myendpoint"
  - from:
    to:
    - operation:
        methods:
        - GET
        - POST
        - DELETE
        - PUT
        notPaths:
        - "*/myendpoint"
  selector:
    matchLabels:
      app: myservice

Is it correct to say that the previous rule permits any request coming from myip towards */myendpoint and permits any other kind of traffic towards the other endpoints (not having */myendpoing path towards my service)?

Since the incoming traffic passes through AKAMAI I set the :

podAnnotations:
proxy.istio.io/config: ‘{“gatewayTopology” : { “numTrustedProxies”: 2 } }’
service:
externalTrafficPolicy: Local

x_forwarded_for
my_ip , AKAMAI_IP_1, AKAMAI_IP_2

Should any request come like listed so far be authorized using such kind of rule?

I have also tried doing in a different way filtering on the header than remoteIpBlock, but this doesn’t accept CIDR annotation and then I am forced to list all IP authorized, please correct me if I am wrong.

Example (maybe could be useful for others having the same problem):


  action: ALLOW
  rules:
  - from:
    to:
    - operation:
        methods:
        - POST
        paths:
        - '*/myendpoint'
    when:
    - key: request.headers[true-client-ip]
      values:                                       <--- This doesn't support CIDR annotation :-( 

Looking to the following link it seems the correct behavior, but I would like to have a double-check with you.

Is it possible to apply CIDR annotation with checking based on the header?
Any help is really appreciated.
Thanks

Hi, for your original AuthorizationPolicy, make the selector apply to the ingress gateway, not your service. The ingress gateway is what sees your original client ip address.

Hi Kyle,
first of all thank you for the answer.

My problem is that if I apply that rule on the ingress I am not able than to differentiate traffic coming for one service than another.

Am I wrong?

Try to add a when clause to your policy to match on the Host header:

    when:
    - key: request.headers[Host]
      values: ["something.example.com"]

(in addition to applying it to the ingress gateway)