I’m trying to set up whitelisting to some services. The following config appears to only work when applied to istio-system namespace:
--- apiVersion: "config.istio.io/v1alpha2" kind: listchecker metadata: name: ip-whitelist spec: overrides: ["18.104.22.168/32"] blacklist: false entryType: IP_ADDRESSES --- apiVersion: config.istio.io/v1alpha2 kind: listentry metadata: name: x-real-ip spec: value: request.headers["x-real-ip"] --- apiVersion: "config.istio.io/v1alpha2" kind: rule metadata: name: service-ip-rule spec: match: destination.service.namespace == "mynamespace" actions: - handler: ip-whitelist.listchecker instances: - x-real-ip.listentry
There it works fine but I’d rather this was located nearer to the application it’s whitelisting. Is this expected?