IP Whitelisting with AuthorizationPolicy in EKS

Randy_Loffelmacher · March 9, 2020, 8:12pm

Finally, got something working, though not by using AuthorizationPolicy. Figured I would share this Yaml which finally made it work:

apiVersion: v1
kind: Service
metadata:
  name: httpbin
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
spec:
  type: NodePort
  ports:
  - port: 80
    name: http
    targetPort: 80
  selector:
    app: httpbin

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: httpbin
spec:
  selector:
    matchLabels:
      app: httpbin
  template:
    metadata:
      labels:
        app: httpbin
    spec:
      containers:
      - image: docker.io/kennethreitz/httpbin
        name: httpbin
        ports:
        - containerPort: 80
          name: http

---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: rsl-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "httpbin.example.com"

---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: httpbin
spec:
  hosts:
  - "*"
  gateways:
  - rsl-gateway
  http:
  - match:
    - uri:
        prefix: /
    route:
    - destination:
        host: httpbin
      weight: 100

---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: rsl-envoyfilter
  namespace: istio-system
spec:
  workloadLabels:
    app: istio-ingressgateway
  filters:
    - listenerMatch:
        portNumber: 80
        listenerType: GATEWAY
      filterName: envoy.lua
      filterType: HTTP
      filterConfig:
        inlineCode: |
          function envoy_on_request(request_handle)
            local xff_header = request_handle:headers():get("X-Forwarded-For")
            local first_ip = string.gmatch(xff_header, "(%d+.%d+.%d+.%d+)")();
            first_ip = string.gsub(first_ip, ",", "")
            request_handle:headers():add("X-Custom-User-IP", first_ip);
          end

---
apiVersion: config.istio.io/v1alpha2
kind: handler
metadata:
  name: rsl-whitelistip
spec:
  compiledAdapter: listchecker
  params:
    overrides:
      - <redacted>
      - <redacted>
    blacklist: false
    entryType: IP_ADDRESSES
---
apiVersion: config.istio.io/v1alpha2
kind: instance
metadata:
  name: rsl-sourceip
spec:
  compiledTemplate: listentry
  params:
    value: request.headers["x-custom-user-ip"] | "0.0.0.0"
---
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
  name: checkip
spec:
  match: source.labels["istio"] == "ingressgateway"
  actions:
  - handler: rsl-whitelistip
    instances: [ rsl-sourceip ]

Topic		Replies	Views
In AKS: IP range filtering at ingress when Load Balancer behind a proxy (externalTrafficPolicy is Local) Networking	4	637	July 31, 2023
Istio proxy protocol does not work for tcp stream on EKS Networking	0	1172	July 19, 2020
Deprecated Mixer security	3	675	March 23, 2020
Istio/envoy on IPv6 EKS Cluster	0	544	June 6, 2023
Using Kafka protocol filter with Istio Networking	6	5345	June 19, 2023

IP Whitelisting with AuthorizationPolicy in EKS

Related Topics