I created a Rule based on the documentation here: https://istio.io/docs/tasks/policy-enforcement/denial-and-list/#ip-based-whitelists-or-blacklists
I changed the source.ip of the listentry resource to request.headers[“x-real-ip”] as istio is operatng behind nginx-ingress. unfortunately this rule doesn’t work at all. already checked it with mixc. Are header based policies supported right now?
Hi!
The reason it does not work is because is mismatched type. Using entryType: IP_ADDRESS assumes that the entry is an IP address value, while the header request.headers["x-real-ip"] is a string value.
Can you try using ip(request.headers["x-real-ip"] | "0.0.0.0") instead?
This works. at least mixc does provide the correct output when i apply those resources to the istio-system namespace. anyway traffic is not blocked when accessing the service with curl although the ip is reported correctly regarding istio-proxy debug logs. the service is in another namespace though. if i put the rule listentry resources and so on into that namespace it doesn’t even work with mixc
after pod restart of the target service it works thank you