got a question to AuthorizationPolicys, especially ipBlocks.
I can whitelist specifc IPs by using the policy together with the app:istio-ingressgateway . So the policy is bound to the Pod which is actually the default gateway. I tried to bin the policy to other ressources like a gateway or a service but this doesn’t seem to work. (Is this somewhere documented to what resources I can bind the policy to?)
This did not work:
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: test-ingress-policy namespace: istio-system spec: action: ALLOW rules: - from: - source: ipBlocks: - 22.214.171.124 selector: matchLabels: gateway: private-gateway
apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: private-gateway namespace: istio-system labels: gateway: private-gateway spec: selector: istio: ingressgateway servers: - hosts: - 'someHost' port: name: http-private-gw number: 80 protocol: HTTP tls: httpsRedirect: true - hosts: - 'someHost' port: name: https-private-gw number: 443 protocol: HTTPS tls: credentialName: certificate mode: SIMPLE
I want to have a public and a private gateway. Both should share the same IP (so use the istio-ingressgateway with the label istio: ingressgateway) but they route differently based on the hosts. The private one should check for whitelisted IPs.
So the only way to get two seperate gateways - one which can be accessed by everyone and one which is limited to specific IPs - seems to be brining up another istio-ingressgateway-new Pod which means I would have 2 LoadBalancers / 2 IPs / 2 entrys for my K8-Cluster.
Is there a way to do it with just a single LoadBalancer / IP ?
Can I evaluate the ipBlocks at the Gateway resource level?
Thanks for any information and hints in advance