Ingress gateway IP whitelist with AuthorizationPolicy

Hello,

Does anyone know how to do IP whitelist with AuthorizationPolicy?

Thanks!

Here what I tried :

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: ingress-authorizationpolicy
namespace: test
spec:
selector:
matchLabels:
app: nginx
rules:

  • from:
    • source:
      principals: [“cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account”]
      when:
    • key: request.headers[“x-forwarded-for”]
      values: [“ip”]

@istio/wg-security-maintainers

1 Like

You can use the ipBlocks field under the Source section.

Please take a look at PR that adds a new task for using authorization policy for IP whitelisting: https://github.com/istio/istio.io/pull/6692 or the rendered page (https://deploy-preview-6692--preliminary-istio.netlify.com/docs/tasks/security/authorization/authz-ingress/)

1 Like

Thanks for the documentation. I was successful in restricting traffic for all workload that use the ingress gateay. However I am looking to restrict traffic for a single workload and allow trafic for the rest. Any recommended way to do this?

In this case, it makes more sense to use the authorization deny policy that denies the request from the specific workload. This is a new feature in the authorization policy in 1.5, you can take a preview at this task: https://preliminary.istio.io/docs/tasks/security/authorization/authz-deny/

One last question, is there any place where denied requests are logged and at what log level?

Thanks again!

currently it’s only logged at debug level (you need to set rbac:debug in Envoy). If you enabled access logging, you should also see a 403 logging.

Is istio 1.4.5 supported ?

yes, the authorization policy is introduced in 1.4 and deprecates the old RBAC policy in istio.