Authorization Policy. Restrict access by IP-address

yakw · August 27, 2021, 12:23pm

Hi there! Could you please help me
I’m created a manifest:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: httpbin-app
  namespace: dev
spec:
  action: ALLOW
  rules:
  - from:
    - source:
        namespaces: ["istio-system"]
    when:
    - key: request.headers[X-Envoy-External-Address]
      values: ["<IP_ADDR>"] #Ip to allow
  selector:
    matchLabels:
      app: httpbin-app

but this code not working. How can i restrict access to the podby IP address?

YangminZhu · October 7, 2021, 8:59pm

note the request.headers is doing simple string match (not IP match), you probably should use the sourceIP or remoteIP first class fields instead.

For the X-Envoy-External-Address case, you can check the envoy log to see the actual value of this header to confirm if it’s set to the expected value: Istio / Security Problems

Topic		Replies	Views
Authorization Policy IP allow/deny not working on services different than ingress-gateway Security security	5	5356	August 10, 2020
Authorization Policies having unexpected results on istio-1.9.0 Networking security	1	546	February 23, 2021
Authorization Policy - ISTIO Security	6	1077	July 2, 2020
Istio 1.5 AuthorizationPolicy using JWT Security	4	1074	July 28, 2020
Restrict Access by Gateway/Service using source ip	11	7682	September 21, 2020

Authorization Policy. Restrict access by IP-address

Related Topics