Hi! I am trying to set up IP whitelisting per-service, so that certain services will accept traffic only from client IPs on a whitelist. I followed these instructions:
but this only matches against the source.ip, which I believe is that of the ingressgateway and not the client.
I also set pilot.env.PILOT_SIDECAR_USE_REMOTE_ADDRESS=true on my helm install, but I don’t know:
Little help?
Hi!
There is origin.ip that should be the IP of the client at the ingress.
You may be able to use request.headers[“x-forwarded-for”], but you may need prefix/suffix string matching, since it’s a potentially a long list of IPs.
Yeah, I’m actually investigating using nginx-ingress for my ingress, instead of Istio’s. Now I have two problems!
You can write nginx config to store real client ip in some special header and then read it as request.header["magic-header-or-whatever-you-call-it"].
I don’t think I understand–I just deployed the nginx-ingress and then set an Ingress object to point to a given service with annotations like:
'nginx.ingress.kubernetes.io/service-upstream': true,
'nginx.ingress.kubernetes.io/upstream-vhost': my-app.my-ns.svc.cluster.local
is there something else I need to do to pass the header into Istio? Is there any documentation you can point me to?