I am facing some issues in configuring the istio authorization policy in my EKS cluster.I am having EKS cluster behind the AWS classic loadbalancer and we are trying to ALLOW only specific IPs to reach of service.
We are applying this authorization policy -
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: ext-ingress-policy namespace: example spec: selector: matchLabels: app.kubernetes.io/name : jenkins action: ALLOW rules: - from: - source: ipBlocks: - 220.127.116.11(example)
ACCEPTED BEHAVIOR - This policy should block all the public access except from ip 18.104.22.168(example) .
ACTUAL BEHAVIOR - This Policy is giving access denied even to this ip 22.214.171.124 .
**ENVOY ACCESS LOGS - **
[2021-xx-xxTxx:xx:xx.xx7Z] "POST /ajaxExecutors HTTP/1.1" 200 - "-" 0 361 2 1 "126.96.36.199(ALLOWED IP) , xx.xx.xx.xxx" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/xxx.xx (KHTML, like Gecko) Chrome/xx.x.xxxx.xxx Safari/xxx.xx" "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" "xxxxx.xxxxxxxx.com" "xxx.x.x.x:8080" inbound|8080|| 127.0.0.1:32906 10.120.xx.xx:8080 10.120.xx.xxx:0 outbound_.8080_._.*****.******.svc.cluster.local default
POSSIBLE ISSUE - istio not able to pick up the correct IP after it is being forwarded from the loadbalancer.I have followed this link to debug original client ip issue - Istio / Authorization on Ingress Gateway
Still facing the issue.
Key Information -
LOADBALANCER TYPE - AWS Classic loadbalancer
ISTIO VERSION - 1.18.2