Istio Ingress IP whitelisting

Hello guys,

I would like to allow access to my K8S cluster only from some set of IPs. So I’ve implemented the approach discussed here https://istio.io/docs/tasks/policy-enforcement/denial-and-list/#ip-based-whitelists-or-blacklists.

The problem I am facing is that origin.ip value does not contain the original IP address of visitor but load balancer IP. When I switch Istio ingress gateway externalTrafficPolicy to Local, correct origin.ip is propagated.

But when externalTrafficPolicy is set to Local network routing stop working with error upstream connect error or disconnect/reset before headers. reset reason: connection termination.

I am on Istio 1.1.8.

Could anyone advise?

Did you figure out how to solve this?

Sadly nope. But did not tried with newer version of Istio.