Ingress gateway IP whitelist with AuthorizationPolicy


Does anyone know how to do IP whitelist with AuthorizationPolicy?


Here what I tried :

kind: AuthorizationPolicy
name: ingress-authorizationpolicy
namespace: test
app: nginx

  • from:
    • source:
      principals: [“cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account”]
    • key: request.headers[“x-forwarded-for”]
      values: [“ip”]


1 Like

You can use the ipBlocks field under the Source section.

Please take a look at PR that adds a new task for using authorization policy for IP whitelisting: or the rendered page (

1 Like

Thanks for the documentation. I was successful in restricting traffic for all workload that use the ingress gateay. However I am looking to restrict traffic for a single workload and allow trafic for the rest. Any recommended way to do this?

In this case, it makes more sense to use the authorization deny policy that denies the request from the specific workload. This is a new feature in the authorization policy in 1.5, you can take a preview at this task:

One last question, is there any place where denied requests are logged and at what log level?

Thanks again!

currently it’s only logged at debug level (you need to set rbac:debug in Envoy). If you enabled access logging, you should also see a 403 logging.

Is istio 1.4.5 supported ?

yes, the authorization policy is introduced in 1.4 and deprecates the old RBAC policy in istio.