The topic of IP whitelisting has been covered many times here, but the examples never quite work for me. Maybe because a lot of the examples assume Google Cloud/GKE? I’ve also noticed that most of the threads discussing IP whitelisting have a post telling everybody that Istio 1.5 deprecates Mixer.
I need the most basic IP whitelisting, only those on our local network. So would a single AuthorizationPolicy in the istio-system namespace be capable of this? Or must one also use an EnvoyFilter to do this?
Finally, all the docs which I’ve read indicate that the Istio Ingress must have
externalTrafficPolicy set to
Local. This setting makes my demo service flat-out stop working. Is it possible to get the IP whitelisting working without that setting? I suspect it may be because I have actually been able to see the IP I want to allow in the logs. The IP I whitelist comes through in a comma-separated list, so it seems like this would be sufficient to allow for the whitelisting. Especially if I were to write a little Lua in my EnvoyFilter.
But again, I can’t even tell if I’m supposed to use EnvoyFilter with AuthorizationPolicy…
Any pointers would be appreciated!