Hi guys,
got a question to AuthorizationPolicys, especially ipBlocks.
I can whitelist specifc IPs by using the policy together with the app:istio-ingressgateway . So the policy is bound to the Pod which is actually the default gateway. I tried to bin the policy to other ressources like a gateway or a service but this doesn’t seem to work. (Is this somewhere documented to what resources I can bind the policy to?)
This did not work:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: test-ingress-policy
namespace: istio-system
spec:
action: ALLOW
rules:
- from:
- source:
ipBlocks:
- 1.2.3.4
selector:
matchLabels:
gateway: private-gateway
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: private-gateway
namespace: istio-system
labels:
gateway: private-gateway
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- 'someHost'
port:
name: http-private-gw
number: 80
protocol: HTTP
tls:
httpsRedirect: true
- hosts:
- 'someHost'
port:
name: https-private-gw
number: 443
protocol: HTTPS
tls:
credentialName: certificate
mode: SIMPLE
I want to have a public and a private gateway. Both should share the same IP (so use the istio-ingressgateway with the label istio: ingressgateway) but they route differently based on the hosts. The private one should check for whitelisted IPs.
So the only way to get two seperate gateways - one which can be accessed by everyone and one which is limited to specific IPs - seems to be brining up another istio-ingressgateway-new Pod which means I would have 2 LoadBalancers / 2 IPs / 2 entrys for my K8-Cluster.
Is there a way to do it with just a single LoadBalancer / IP ?
Can I evaluate the ipBlocks at the Gateway resource level?
Thanks for any information and hints in advance