I am running a k3s cluster on k3os. I have disabled traefik default ingress and I am using Istio’s. I am testing on a one node cluster:
$ kubectl get all -n istio-system
NAME READY STATUS RESTARTS AGE
pod/istiod-5fc87c89fd-hs59x 1/1 Running 1 20h
pod/svclb-istio-ingressgateway-wlsrs 5/5 Running 5 20h
pod/istio-ingressgateway-69494cdb45-zll45 1/1 Running 1 20h
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/istiod ClusterIP 10.43.211.222 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 46h
service/istio-ingressgateway LoadBalancer 10.43.150.45 192.168.122.200 15021:31028/TCP,80:31562/TCP,443:32761/TCP,15012:32229/TCP,15443:31956/TCP 46h
I am trying to use an AuthorizationPolicy to only allow certain IPs to a service. Only a set of IPs should be able to reach a specific pod.
Currently, it seems the AuthorizationPolicy only reacts to allowing/denying IPs in the range 10.42.0.0/16 i.e. ClusterIPs. Based on this, the problem seems I am not being able to configure Istio to pass on the source IP of the request.
In this environment, what do I need to do to configure Istio to pass on the real origin IP of the request, so the AuthorizationPolicy gets applied correctly?