DENY policy when using TCP does not seem to work

Security
1

Hello all, I need to brainstorm an issue:

Consider the following configs in AWS:

Ingress:

  • name: client-port
    nodePort: 31213
    port: 4242
    protocol: TCP
    targetPort: 4242

Gateway:
- port:
number: 4242
name: client-port
protocol: TCP

VirtualService:
tcp:

  • match:
    • port: 4242
      route:
    • destination:
      host: myhost
      port:
      number: 4242

Traffic is routed 100%, I have no issue. But if I want to apply a DENY for any IP such as follows, it just will not block the traffic:
kind: AuthorizationPolicy
metadata:
name: deny-4242
namespace: app_namespace
spec:
selector:
matchLabels:
application: myapp
action: DENY
rules:

  • to:
    • operation:
      ports: [“4242”]

I know that it detects the deny because I see in the logs:
[2023-04-26T14:47:42.204Z] “- - -” 0 - - rbac_access_denied_matched_policy[ns[app_namespace]-policy[deny-4242]-rule[0]] , but I actually still get the data from the server (which is a big no no for us).

I even tried this rule on the istio-system namespace, and still no luck.

Did anyone have this issue, since I only want to restrict one port I cannot use the gateways.istio-ingressgateway.loadBalancerSourceRanges. Also, I have HTTP ports as well and this kind of rule works 100% there.

2

So after some pain I did figure it out. In the end I was tasked to make sure that a specific IP has access to that port.

I was using an NLB so the IP would not be visible to Envoy. As such, first enable proxy protocol at the NLB level, then enable it in Envoy. I created the policy at the ingress gateway level to make sure that the traffic is stopped as close as possible to the source.