Problem: Limit access to a gateway by using authorization policy together with ipBlocks

Hi guys,

got a question to AuthorizationPolicys, especially ipBlocks.

I can whitelist specifc IPs by using the policy together with the app:istio-ingressgateway . So the policy is bound to the Pod which is actually the default gateway. I tried to bin the policy to other ressources like a gateway or a service but this doesn’t seem to work. (Is this somewhere documented to what resources I can bind the policy to?)

This did not work:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: test-ingress-policy
  namespace: istio-system
spec:
  action: ALLOW
  rules:
  - from:
    - source:
        ipBlocks:
        - 1.2.3.4
  selector:
    matchLabels:
      gateway: private-gateway

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: private-gateway
  namespace: istio-system
  labels:
    gateway: private-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - 'someHost'
    port:
      name: http-private-gw
      number: 80
      protocol: HTTP
    tls:
      httpsRedirect: true
  - hosts:
    - 'someHost'
    port:
      name: https-private-gw
      number: 443
      protocol: HTTPS
    tls:
      credentialName: certificate
      mode: SIMPLE

I want to have a public and a private gateway. Both should share the same IP (so use the istio-ingressgateway with the label istio: ingressgateway) but they route differently based on the hosts. The private one should check for whitelisted IPs.

So the only way to get two seperate gateways - one which can be accessed by everyone and one which is limited to specific IPs - seems to be brining up another istio-ingressgateway-new Pod which means I would have 2 LoadBalancers / 2 IPs / 2 entrys for my K8-Cluster.

Is there a way to do it with just a single LoadBalancer / IP ?
Can I evaluate the ipBlocks at the Gateway resource level?

Thanks for any information and hints in advance :slightly_smiling_face: