IP whitelisting in Istio?

Hi! I am trying to set up IP whitelisting per-service, so that certain services will accept traffic only from client IPs on a whitelist. I followed these instructions:

but this only matches against the source.ip, which I believe is that of the ingressgateway and not the client.

I also set pilot.env.PILOT_SIDECAR_USE_REMOTE_ADDRESS=true on my helm install, but I don’t know:

  • what header the client’s IP is in
  • how to match it against the whitelist

Little help?


There is origin.ip that should be the IP of the client at the ingress.
You may be able to use request.headers[“x-forwarded-for”], but you may need prefix/suffix string matching, since it’s a potentially a long list of IPs.

Yeah, I’m actually investigating using nginx-ingress for my ingress, instead of Istio’s. Now I have two problems!

You can write nginx config to store real client ip in some special header and then read it as request.header["magic-header-or-whatever-you-call-it"].

I don’t think I understand–I just deployed the nginx-ingress and then set an Ingress object to point to a given service with annotations like:

'nginx.ingress.kubernetes.io/service-upstream': true,
'nginx.ingress.kubernetes.io/upstream-vhost': my-app.my-ns.svc.cluster.local

is there something else I need to do to pass the header into Istio? Is there any documentation you can point me to?