In istio 1.5.0, using authorizationpolicy to configure the attribute “from. Source. Ipblocks” for istio-ingressgateway does not work, because the real IP of the customer cannot be obtained. The specific configuration is as follows:
···
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
Metadata:
name: ingress-policy
namespace: istio-system
Spec:
Selector:
MatchLabels:
app: istio-ingressgateway
action: ALLOW
Rules:
- from:
- source:
ipBlocks: [“172.0.0.0/8”,“192.0.0.0/8”]
To:
- operation:
methods: [“POST”]
paths: ["/api/istiotools/*"]
···
1 Like
I’m in nearly the same boat. I have a basic nginx server Deployment along with a Service type=LoadBalancer. This works great in my EKS cluster with Istio 1.5 prelim. I can even see the real source IP coming through in both the Istio Ingress Gateway logs, and in the Nginx logs. The IP is coming through as a chain of IP addresses. But the “real” IP is definitely in there.
Heck I’ve even rolled out an EnvoyFilter just to see if that has a role to play here. I see the EnvoyFilter is in place and working great, I’ve got some log messages that spew out at the start & end of every request. But none of this works fully.