Hey Everyone,
I am facing some issues in configuring the istio authorization policy in my EKS cluster.I am having EKS cluster behind the AWS classic loadbalancer and we are trying to ALLOW only specific IPs to reach of service.
We are applying this authorization policy -
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: ext-ingress-policy
namespace: example
spec:
selector:
matchLabels:
app.kubernetes.io/name : jenkins
action: ALLOW
rules:
- from:
- source:
ipBlocks:
- 1.2.3.4(example)
ACCEPTED BEHAVIOR - This policy should block all the public access except from ip 1.2.3.4(example) .
ACTUAL BEHAVIOR - This Policy is giving access denied even to this ip 1.2.3.4 .
**ENVOY ACCESS LOGS - ** [2021-xx-xxTxx:xx:xx.xx7Z] "POST /ajaxExecutors HTTP/1.1" 200 - "-" 0 361 2 1 "1.2.3.4(ALLOWED IP) , xx.xx.xx.xxx" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/xxx.xx (KHTML, like Gecko) Chrome/xx.x.xxxx.xxx Safari/xxx.xx" "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" "xxxxx.xxxxxxxx.com" "xxx.x.x.x:8080" inbound|8080|| 127.0.0.1:32906 10.120.xx.xx:8080 10.120.xx.xxx:0 outbound_.8080_._.*****.******.svc.cluster.local default
POSSIBLE ISSUE - istio not able to pick up the correct IP after it is being forwarded from the loadbalancer.I have followed this link to debug original client ip issue - Istio / Authorization on Ingress Gateway
Still facing the issue.
Key Information -
LOADBALANCER TYPE - AWS Classic loadbalancer
ISTIO VERSION - 1.18.2