We’re running EKS and exposing the application endpoints using Istio Ingressgateway of type Application Load Balancer.
We are restricting the access to a service to a certain set of IPs on the LoadBalanacer security groups. But for a specific IP on that set, only two endpoints should be accessible.
I am writing a authorization policy to achieve that based on the x-forwarded-for header. Reason why I’m not using from.source.remoteIpBlocks is stated on how to get real client IP for Services with ingress gateway Type=NodePort and externalTrafficPolicy = cluster · Issue #44148 · istio/istio · GitHub
I tried using following authorization policy :
apiVersion: "security.istio.io/v1beta1"
kind: "AuthorizationPolicy"
metadata:
name: "allow-ip"
namespace: sharon
spec:
selector:
matchLabels:
app: httpbin
action: ALLOW
rules:
- when:
- key: request.headers[x-forwarded-for]
values: ["*14.140.239.6", "14.140.239.6*"]
---
apiVersion: "security.istio.io/v1beta1"
kind: "AuthorizationPolicy"
metadata:
name: "deny-endpoints"
namespace: sharon
spec:
selector:
matchLabels:
app: httpbin
action: DENY
rules:
- to:
- operation:
methods: ["GET"]
notPaths: ["/", "/ip"]
This basically allows only that IP to access and to only those two endpoints. But for other IPs, it’s denied.
Is there way to achieve this with when and to rules?
I’d be more than happy if anyone has a solution for my issue mentioned on : how to get real client IP for Services with ingress gateway Type=NodePort and externalTrafficPolicy = cluster · Issue #44148 · istio/istio · GitHub