Configuration only picked up in istio-system namespace

stuart-warren · March 21, 2019, 8:08pm

I’m trying to set up whitelisting to some services. The following config appears to only work when applied to istio-system namespace:

---
apiVersion: "config.istio.io/v1alpha2"
kind: listchecker
metadata:
  name: ip-whitelist
spec:
  overrides: ["99.200.0.1/32"]
  blacklist: false
  entryType: IP_ADDRESSES
---
apiVersion: config.istio.io/v1alpha2
kind: listentry
metadata:
  name: x-real-ip
spec:
  value: request.headers["x-real-ip"]
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
  name: service-ip-rule
spec:
  match: destination.service.namespace == "mynamespace"
  actions:
    - handler: ip-whitelist.listchecker
      instances:
        - x-real-ip.listentry

There it works fine but I’d rather this was located nearer to the application it’s whitelisting. Is this expected?

Thanks

Topic		Replies	Views
Whitelisting/blacklisting IPs Policies and Telemetry	6	1478	February 28, 2020
Istio Sidecar Configuration Config	0	364	April 28, 2022
Ingress Gateway istio-config when installed in a custom namespace Config	0	619	August 25, 2021
Ingress gateway in custom namespace Networking	0	589	May 20, 2021
Namespace-specific external service Networking	7	1885	June 13, 2019

Configuration only picked up in istio-system namespace

Related Topics