Get source IP addres of client

I am running a k3s cluster on k3os. I have disabled traefik default ingress and I am using Istio’s. I am testing on a one node cluster:

$ kubectl get all -n istio-system
NAME                                        READY   STATUS    RESTARTS   AGE
pod/istiod-5fc87c89fd-hs59x                 1/1     Running   1          20h
pod/svclb-istio-ingressgateway-wlsrs        5/5     Running   5          20h
pod/istio-ingressgateway-69494cdb45-zll45   1/1     Running   1          20h

NAME                           TYPE           CLUSTER-IP      EXTERNAL-IP       PORT(S)                                                                      AGE
service/istiod                 ClusterIP      10.43.211.222   <none>            15010/TCP,15012/TCP,443/TCP,15014/TCP                                        46h
service/istio-ingressgateway   LoadBalancer   10.43.150.45    192.168.122.200   15021:31028/TCP,80:31562/TCP,443:32761/TCP,15012:32229/TCP,15443:31956/TCP   46h

I am trying to use an AuthorizationPolicy to only allow certain IPs to a service. Only a set of IPs should be able to reach a specific pod.

Currently, it seems the AuthorizationPolicy only reacts to allowing/denying IPs in the range 10.42.0.0/16 i.e. ClusterIPs. Based on this, the problem seems I am not being able to configure Istio to pass on the source IP of the request.
In this environment, what do I need to do to configure Istio to pass on the real origin IP of the request, so the AuthorizationPolicy gets applied correctly?

You might consider to use the “X-Forwarded-For HTTP header” or the “Proxy Protocol” to pass the real source IP, see Istio / Authorization on Ingress Gateway for more information.