Configuration only picked up in istio-system namespace

#1

I’m trying to set up whitelisting to some services. The following config appears to only work when applied to istio-system namespace:

---
apiVersion: "config.istio.io/v1alpha2"
kind: listchecker
metadata:
  name: ip-whitelist
spec:
  overrides: ["99.200.0.1/32"]
  blacklist: false
  entryType: IP_ADDRESSES
---
apiVersion: config.istio.io/v1alpha2
kind: listentry
metadata:
  name: x-real-ip
spec:
  value: request.headers["x-real-ip"]
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
  name: service-ip-rule
spec:
  match: destination.service.namespace == "mynamespace"
  actions:
    - handler: ip-whitelist.listchecker
      instances:
        - x-real-ip.listentry

There it works fine but I’d rather this was located nearer to the application it’s whitelisting. Is this expected?

Thanks

0 Likes