I want my telemetry to be visible to whitelisted IPs only. My cluster lives behind a reverse proxy, so I can’t simply use
from -> source -> ipBlocks because they only “see” the backside of the proxy.
This AuthorizationPolicy works, with my telemetry living on a separate subdomain:
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: ingress-policy namespace: istio-system spec: selector: matchLabels: app: istio-ingressgateway action: ALLOW rules: - to: - operation: notHosts: - telemetry.example.com - to: - operation: hosts: - telemetry.example.com when: - key: request.headers[x-forwarded-for] values: - "184.108.40.206*"
The only problem I have with it is that it feels a bit ugly. Headers and behavior for reverse proxies are reasonably standard, are they not? It feels to me like there should be a more direct way of expressing this rule. Maybe something like:
- from: - source: proxiedIPBlocks[ "12,34,56,78/32" ] to: - operation: hosts: - telemetry.example.com
Or if that isn’t workable, maybe the documentation could have an example of how to filter by client IP from behind a reverse proxy. I had to do more digging than I care to admit to figure this out.