Hi guys, I am facing some issue trying to configure istio AuthorizationPolicy in order to ALLOW traffic on specific endpoints from specific source IP
This is my scenario:
I have two services running on the k8s cluster and I want to limit that incoming traffic, so I have seen I could define something like this, using istio
# Source: ingest-chart/templates/authorization_policy.yaml
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: authorization-policy-docs-ingest
namespace: istio-system
spec:
action: ALLOW
rules: # traffic coming from AKAMAI from specified IPs can execute requests towards defined PATH
- from:
- source:
remoteIpBlocks:
- "myip/32"
to:
- operation:
methods:
- POST
paths:
- "*/myendpoint"
- from:
to:
- operation:
methods:
- GET
- POST
- DELETE
- PUT
notPaths:
- "*/myendpoint"
selector:
matchLabels:
app: myservice
Is it correct to say that the previous rule permits any request coming from myip towards */myendpoint
and permits any other kind of traffic towards the other endpoints (not having */myendpoing
path towards my service)?
Since the incoming traffic passes through AKAMAI I set the :
podAnnotations:
proxy.istio.io/config: ‘{“gatewayTopology” : { “numTrustedProxies”: 2 } }’
service:
externalTrafficPolicy: Local
x_forwarded_for
my_ip , AKAMAI_IP_1, AKAMAI_IP_2
Should any request come like listed so far be authorized using such kind of rule?
I have also tried doing in a different way filtering on the header than remoteIpBlock, but this doesn’t accept CIDR annotation and then I am forced to list all IP authorized, please correct me if I am wrong.
Example (maybe could be useful for others having the same problem):
action: ALLOW
rules:
- from:
to:
- operation:
methods:
- POST
paths:
- '*/myendpoint'
when:
- key: request.headers[true-client-ip]
values: <--- This doesn't support CIDR annotation :-(
Looking to the following link it seems the correct behavior, but I would like to have a double-check with you.
Is it possible to apply CIDR annotation with checking based on the header?
Any help is really appreciated.
Thanks