Deny specific IP

emilchitas · June 16, 2021, 7:27am

Hi,
I have a very specific use case which I’m not able to solve.
We have istio deployed, with the minimal profile, and we use strict mTLS throughout a namespace.
The workloads have unrestricted access to the public internet from within the mesh, that’s why we use OutboundTrafficPolicy.Mode=ALLOW_ANY.
We would like to add a rule/authorization to deny access from within the mesh to a specific IP.
Does anyone know how this can be achieved without switching to REGISTRY_ONLY?
Many thanks

YangminZhu · June 26, 2021, 6:51am

Currently authorization policy is enforced only on inbound traffic meaning you can not use it alone to reject outbound request.

However, you could still achieve this if you could deploy an egress gateway in the mesh and force your workload outbound traffic to go through it, and then you can apply the authorization policy on the egress gateway, see Istio / Egress Gateways for more details about configuring the egress gateway and its security implications (you will need separate k8s NetworkPolicy to make sure the workload won’t be able to bypass the egress gateway)

emilchitas · June 28, 2021, 7:32am

Thanks for the answer.
In the end, we came to the same conclusion. And actually, it is even recommended in the istio docs to also use network policies for extra security configurations.

Topic		Replies	Views
Egress Gateway: how to deny all MESH_EXTERNAL access in AuthorizaitionPolicy, leaving mesh internal traffic intact Security	1	342	November 28, 2023
Restricting access from one workload to other workload in the same mesh Security	2	548	December 12, 2022
Is it possible to default to deny all traffic? Security	3	868	January 13, 2022
Ingress gateway IP whitelist with AuthorizationPolicy	7	3575	March 11, 2020
AuthroizationPolicy for MESH_EXTERNAL ServiceEntries Security	2	610	February 10, 2020

Deny specific IP

Related topics