Whitelist by host for incoming traffic

carrielfonseca · October 16, 2021, 3:34am

I am trying to whitelist incoming traffic for a service outside the mesh based on its host, not its IP.

For IP, it sort of comes down to this simple ipBlocks attribute from the source as far as I understand. But is there a solution to whitelist based on the host such as apps.esignlive.com for instance?

(See below)

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: ingress-policy
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
action: ALLOW
rules:

from:
- source:
  ipBlocks: [“1.2.3.4”, “5.6.7.0/24”]

YangminZhu · November 8, 2021, 8:28pm

I think you can use the host and notHost field in the authorization policy, also check the best practice before using it.

Topic		Replies	Views
IP based blocks to specific services	0	417	April 12, 2022
Whitelisting/blacklisting IPs Policies and Telemetry	6	1478	February 28, 2020
IP whitelisting in Istio? Networking	4	1067	July 19, 2019
IP add white listing using denier based on host name and URL path Policies and Telemetry	0	412	September 25, 2019
Istio Ingress IP whitelisting Networking	14	6689	February 28, 2020

Whitelist by host for incoming traffic

Related Topics