AuthorizationPolicy whitelist IPs and internal traffic

Security
1

Hello!
Regarding AuthorizationPolicy I would like to allow external traffic from specific IPs only AND all internal traffic. I thought the best way would be to use remoteIpBlocks and namespaces as source, like

  action: ALLOW
  rules:
  - from:
    - source:
        remoteIpBlocks:
        - 1.2.3.4
        - 2.3.4.5
  - from:
    - source:
        namespaces:
        - "*"

also tried:

  action: ALLOW
  rules:
  - from:
    - source:
        remoteIpBlocks:
        - 1.2.3.4
        - 2.3.4.5
    - source:
        namespaces:
        - "*"

I understand that having a list of from means OR, having a list of source results in AND conditions.

None them works: I expected to block other IPs then listed, but Istio passes them through. If I remove the namespaces, Istio blocks external traffic as expected from IPs not listed here.

Is there another way of allowing all internal traffic AND only listed remote IPs?

Thanks in advance!

2

I figured out the following solution

  action: ALLOW
  rules:
  - from:
    - source:
        remoteIpBlocks:
        - 1.2.3.4
        - 2.3.4.5
    to:
    - operation:
        hosts:
        - *.example.com
  - from:
    - source:
        namespaces:
        - '*'
    to:
    - operation:
        hosts:
        - my-services-backend.my-services.svc.cluster.local

But I do not know how this works with multicluster setup - this should work too, right?