I want to use istio authorization rules and write one that validates the user’s country.
- get user’s country from jwt token
- get “current” http request country by ip
block user access if the ip-country is different from jwt-token-country.
is that possible? if yes, how?
You will need to write some code to achieve this. Istio can allow or deny a request based on the claims presented in a JWT (see
request.auth.claims in this doc) however Istio cannot natively geolocate IP addresses.
You could achieve this in a couple different ways. You could write a Lua filter which extracts the source IP, does the country lookup, and then compares the result to the claim in the JWT and then allows or rejects the request. Or you could implement an external authz service which Istio would check with before allowing the request to enter the mesh.