The problem I am facing is that origin.ip value does not contain the original IP address of visitor but load balancer IP. When I switch Istio ingress gateway externalTrafficPolicy to Local, correct origin.ip is propagated.
But when externalTrafficPolicy is set to Local network routing stop working with error upstream connect error or disconnect/reset before headers. reset reason: connection termination.
@YangminZhu Could you please shed some light on this? white-listing is a very common practice, but seems Istio doesn’t have any support on this. is there any work around for time being?
I also set externalTrafficPolicy to Local in order to expose the real client IP.
This works well for me and the ingress gateway is able to forward the request to my httpbin backend in the cluster.
The error upstream connect error or disconnect/reset before headers. reset reason: connection termination. seems like some TLS connection issue.
@jaygridley, did you apply any TLS setting on the ingress gateway or any Authentication policy in the cluster? It might be also worth to try it again in Istio 1.2.
Thanks for looking into this. Your solution is interesting. Since you’re also using externalTrafficPolicy to Local to get the real client IP. What are the recommendation/best practice for this, using RBAC or white-list policy assume both works?
I’m not familiar withexternalTrafficPolicy and not sure about the best practice here, you might want to check with someone from the networking, cc @rshriram@Costin_Manolache1
I think both RBAC and white-list policy should just work in this case. Note I would recommend to use RBAC in this case as it’s enforced right in the envoy process which is much faster as it doesn’t send the check to a remote server.
I’ve tried RBAC approach with externalTrafficPolicy set to Local, but source.ip seems to contain IP chain, e.g. 172.29.3.75,164.38.33.33 so my whitelist does not match. Can Envoy filter this out and populate source.ip with real remote IP?
What parameter do i need to set in the handler? Could you help me out. I have already set externalTrafficPolicy to Local for the istio ingressgateway service.
@jaygridley. Did you get this running? Could you share me the config please if possible?
The problem for external IPs is that source.ip contains the IP of the ingress gateway pod, and not the real IP. When the request passes though the ingress gateway, a header x-envoy-external-address is added to the request. It is not injected when the request comes from the internal network though. So you have to filter in the match to avoid some nil error
My configuration is the following trying to map yours :
As Mixer has been deprecated in 1.5, please consider using authorization policy to allow/deny requests. If you have more concerns with new API, please file an issue.