Restrict Access by Gateway/Service using source ip

rlljorge · May 14, 2020, 10:52am

I applied on istio-ingressgateway because I have other gateways and I need restrict different source ip for each.

kubectl get gateways.networking.istio.io --all-namespaces
NAMESPACE   NAME                    AGE
aten        gw-aten-jasperserver    13h
aten        gw-aten-ords-frontend   13h
default     gw-gitlab               14d
default     gw-jasperserver         14d
eng         gw-eng-jasperserver     13h
eng         gw-eng-ords-frontend    13h

I applied on istio-ingress gateway for testing.

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: deny-all
 namespace: istio-system
spec:
 selector:
   matchLabels:
     app: istio-ingressgateway
 action: DENY
 rules:
 - from:
   - source:
       notIpBlocks: ["187.103.152.251/32"]

This blocked the access for all gateway/virtual servers including the addresss ip in notIpBlocks.

RBAC: access denied

unfortunately it didn’t work.

Topic		Replies	Views
Authorization policy for restriction based on Client IP not working	0	357	August 9, 2021
Authorizationpolicy does not work	1	655	March 6, 2020
Authorization Policy IP allow/deny not working on services different than ingress-gateway Security security	5	5548	August 10, 2020
IP based blocks to specific services	0	485	April 12, 2022
Another AuthorizationPolicy Question - IP Whitelist for VirtualService Security	5	2144	February 11, 2021

Restrict Access by Gateway/Service using source ip

Related topics