IP Whitelisting with AuthorizationPolicy in EKS

Randy_Loffelmacher · March 9, 2020, 8:12pm

Finally, got something working, though not by using AuthorizationPolicy. Figured I would share this Yaml which finally made it work:

apiVersion: v1
kind: Service
metadata:
  name: httpbin
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
spec:
  type: NodePort
  ports:
  - port: 80
    name: http
    targetPort: 80
  selector:
    app: httpbin

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: httpbin
spec:
  selector:
    matchLabels:
      app: httpbin
  template:
    metadata:
      labels:
        app: httpbin
    spec:
      containers:
      - image: docker.io/kennethreitz/httpbin
        name: httpbin
        ports:
        - containerPort: 80
          name: http

---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: rsl-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "httpbin.example.com"

---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: httpbin
spec:
  hosts:
  - "*"
  gateways:
  - rsl-gateway
  http:
  - match:
    - uri:
        prefix: /
    route:
    - destination:
        host: httpbin
      weight: 100

---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: rsl-envoyfilter
  namespace: istio-system
spec:
  workloadLabels:
    app: istio-ingressgateway
  filters:
    - listenerMatch:
        portNumber: 80
        listenerType: GATEWAY
      filterName: envoy.lua
      filterType: HTTP
      filterConfig:
        inlineCode: |
          function envoy_on_request(request_handle)
            local xff_header = request_handle:headers():get("X-Forwarded-For")
            local first_ip = string.gmatch(xff_header, "(%d+.%d+.%d+.%d+)")();
            first_ip = string.gsub(first_ip, ",", "")
            request_handle:headers():add("X-Custom-User-IP", first_ip);
          end

---
apiVersion: config.istio.io/v1alpha2
kind: handler
metadata:
  name: rsl-whitelistip
spec:
  compiledAdapter: listchecker
  params:
    overrides:
      - <redacted>
      - <redacted>
    blacklist: false
    entryType: IP_ADDRESSES
---
apiVersion: config.istio.io/v1alpha2
kind: instance
metadata:
  name: rsl-sourceip
spec:
  compiledTemplate: listentry
  params:
    value: request.headers["x-custom-user-ip"] | "0.0.0.0"
---
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
  name: checkip
spec:
  match: source.labels["istio"] == "ingressgateway"
  actions:
  - handler: rsl-whitelistip
    instances: [ rsl-sourceip ]

Topic		Replies	Views
Ingress gateway IP whitelist with AuthorizationPolicy	7	3575	March 11, 2020
How to create a whitelist in Istio's AuthorizationPolicy? Security security	4	3908	January 17, 2022
Authorizationpolicy does not work	1	650	March 6, 2020
Authorization Policy IP allow/deny not working on services different than ingress-gateway Security security	5	5372	August 10, 2020
Istio Authorisation policy to allow specific external IP ranges Policies and Telemetry	0	725	February 23, 2021

IP Whitelisting with AuthorizationPolicy in EKS

Related topics