I’m running Istio (version 1.1.3) on GKE, whose default setup is to open Istio to all ingress traffic. However, I want to limit connections and only allow a certain IP block as ingress traffic.
When I apply the below network policy to my ingress gateway, it doesn’t seem to have any effect. Here are my configs:
apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: istio-ingressgateway spec: selector: istio: ingressgateway servers: - port: number: 80 name: http protocol: HTTP hosts: - "*" --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: istio-ingress-lockdown namespace: default spec: podSelector: matchLabels: istio: ingressgateway ingress: - ports: - protocol: TCP port: 80 - from: - ipBlock: cidr: 10.0.0.0/16
After applying the policy, I would expect the ingress gateway to only accept connections from that IP block, but the end result is that I can still connect to the ingress gateway from anywhere (any IP address).