I’ve successfully used AuthorizationPolicy
with HTTP services behind Istio’s ingress gateway to limit requests heading for a particular Host
header.
However, it seems that gRPC doesn’t have the Host
header, and I can’t see how to allow requests to a gRPC service without enumerating every single method in the service. Any ideas?
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: my-service
namespace: istio-system
spec:
selector:
matchLabels:
app: ingressgateway
action: ALLOW
rules:
- {}
# This doesn't work for gRPC...Not sure how else we can deal with this
# - to:
# - operation:
# hosts: ["subdomain.example.com"]