IP whitelisting trouble - ingress gateway is always seeing the cluster IP

jeinwag · November 15, 2019, 3:10pm

Hi,
I’m currently running Istio 1.3.5 on a bare metal cluster and I’m trying to get the IP whitelist example (https://istio.io/docs/tasks/policy-enforcement/denial-and-list/) to work. The ingress gateway service is of type LoadBalancer, IP adresses are provided by MetalLB.
I’ve already set externalTrafficPolicy to Local for the ingress gateway service. But it looks like the gateway is still seeing some cluster IP, not the real client IP address (in the source.ip attribute), since the reply always looks like this:
PERMISSION_DENIED:whitelistip.default:10.1.198.225 is not whitelisted

I’m currently out of ideas, so any hints will be appreciated.

aadhik · January 2, 2020, 4:27pm

Were you able to resolve and implement IP white listing

jeinwag · January 13, 2020, 7:54am

The only working way we found was for HTTP connections using some container containing the IP-Adresse, e.g. X-Forwared-For or X-Real-IP.

Topic		Replies	Views
Istio Ingress IP whitelisting Networking	14	7101	February 28, 2020
IP whitelisting in Istio? Networking	4	1175	July 19, 2019
IP Whitelisting at Istio security	1	1027	January 8, 2020
Whitelisting/blacklisting IPs Policies and Telemetry	6	1572	February 28, 2020
IP Whitelisting for Single Service Networking	0	391	April 30, 2020

IP whitelisting trouble - ingress gateway is always seeing the cluster IP

Related Topics