Configuration only picked up in istio-system namespace

stuart-warren · March 21, 2019, 8:08pm

I’m trying to set up whitelisting to some services. The following config appears to only work when applied to istio-system namespace:

---
apiVersion: "config.istio.io/v1alpha2"
kind: listchecker
metadata:
  name: ip-whitelist
spec:
  overrides: ["99.200.0.1/32"]
  blacklist: false
  entryType: IP_ADDRESSES
---
apiVersion: config.istio.io/v1alpha2
kind: listentry
metadata:
  name: x-real-ip
spec:
  value: request.headers["x-real-ip"]
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
  name: service-ip-rule
spec:
  match: destination.service.namespace == "mynamespace"
  actions:
    - handler: ip-whitelist.listchecker
      instances:
        - x-real-ip.listentry

There it works fine but I’d rather this was located nearer to the application it’s whitelisting. Is this expected?

Thanks

Topic		Replies	Views
Whitelisting/blacklisting IPs Policies and Telemetry	6	1584	February 28, 2020
Istio AuthN policy for Service deployed in a different namespace	4	601	December 2, 2019
Authorization policy istio 1.4+ is not letting whitelist service identity such as service account, namespace for traffic coming from non-mesh Security	2	498	January 28, 2021
Another AuthorizationPolicy Question - IP Whitelist for VirtualService Security	5	2062	February 11, 2021
Istio Sidecar Configuration Config	0	406	April 28, 2022

Configuration only picked up in istio-system namespace

Related topics