Whitelisting/blacklisting IPs

Policies and Telemetry
1

I’m trying to implement whitelisting logic in my mesh, but can’t see the following snippet working:

apiVersion: config.istio.io/v1alpha2
kind: handler
metadata:
  name: whitelistip
spec:
  compiledAdapter: listchecker
  params:
    overrides: ["80.0.0.0/32"]
    blacklist: false
    entryType: IP_ADDRESSES
---
apiVersion: config.istio.io/v1alpha2
kind: instance
metadata:
  name: sourceip
spec:
  compiledTemplate: listentry
  params:
    value: source.ip | ip("0.0.0.0")
---
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
  name: checkip
spec:
  match: destination.service.host == "my-app.my-namespace.svc.cluster.local"
  actions:
    - handler: whitelistip
      instances: [ sourceip ]

Is there anything I need to set globally?

I can see that mixer picked up my adapter:
2019-11-05T14:14:29.942908Z info adapters Installing updated list with 1 entries {"adapter": "whitelistip.frontend"}

but I can always access my service regardless of my IP

2

spec:
match: destination.service.host == “my-app.my-namespace.svc.cluster.local”

Is this your ingressgateway?
Black or white listing can be done in ingress only I suppose :thinking:

3

Hi @mudit_singh, thanks for your answer.

I didn’t know that Black/white listing can only be done for ingress gateway.

I want to restrict access to specific service based on IP. Istio seems so powerful that it should be easy to achieve I would say…

Any ideas?

Many thanks

4

If the services are not much in numbers you can try with multiple ingress gateways for a particular set of IPs, each ingress will have its own gateway and virtual services for routing traffic.
Just a suggestion I have not tried with multiple ingresses. :slightly_smiling_face:

5

Thanks @mudit_singh.

This is an interesting approach, but seems like an overhead for my use case.

I was thinking to restrict access via cookie, but again… can’t get that working…

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: dashboard
  namespace: frontend
spec:
  hosts:
    - "*"
  gateways:
    - internal-http-gateway
  http:
    - match:
        - headers:
            cookie:
              regex: "^(.*?;)?(dashboard-secret=foo)(;.*)?$"
          uri:
            prefix: /my-dashboard
      route:
        - destination:
            port:
              number: 80
            host: dashboard.frontend.svc.cluster.local

When I remove headers block, it works fine. I’m confident about my cookie I set in postman.

This seems like this isses: https://stackoverflow.com/questions/55843939/istio-virtual-service-match-uri-and-cookie-not-working which has never been answered

6

Turns out the regex was wrong

7

As Mixer has been deprecated in 1.5, please consider using authorization policy to allow/deny requests.