I’m trying to implement whitelisting logic in my mesh, but can’t see the following snippet working:
apiVersion: config.istio.io/v1alpha2
kind: handler
metadata:
name: whitelistip
spec:
compiledAdapter: listchecker
params:
overrides: ["80.0.0.0/32"]
blacklist: false
entryType: IP_ADDRESSES
---
apiVersion: config.istio.io/v1alpha2
kind: instance
metadata:
name: sourceip
spec:
compiledTemplate: listentry
params:
value: source.ip | ip("0.0.0.0")
---
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
name: checkip
spec:
match: destination.service.host == "my-app.my-namespace.svc.cluster.local"
actions:
- handler: whitelistip
instances: [ sourceip ]
Is there anything I need to set globally?
I can see that mixer picked up my adapter:
2019-11-05T14:14:29.942908Z info adapters Installing updated list with 1 entries {"adapter": "whitelistip.frontend"}
but I can always access my service regardless of my IP
spec:
match: destination.service.host == “my-app.my-namespace.svc.cluster.local”
Is this your ingressgateway?
Black or white listing can be done in ingress only I suppose
Hi @mudit_singh , thanks for your answer.
I didn’t know that Black/white listing can only be done for ingress gateway.
I want to restrict access to specific service based on IP. Istio seems so powerful that it should be easy to achieve I would say…
Any ideas?
Many thanks
If the services are not much in numbers you can try with multiple ingress gateways for a particular set of IPs, each ingress will have its own gateway and virtual services for routing traffic.
Just a suggestion I have not tried with multiple ingresses.
Thanks @mudit_singh .
This is an interesting approach, but seems like an overhead for my use case.
I was thinking to restrict access via cookie, but again… can’t get that working…
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: dashboard
namespace: frontend
spec:
hosts:
- "*"
gateways:
- internal-http-gateway
http:
- match:
- headers:
cookie:
regex: "^(.*?;)?(dashboard-secret=foo)(;.*)?$"
uri:
prefix: /my-dashboard
route:
- destination:
port:
number: 80
host: dashboard.frontend.svc.cluster.local
When I remove headers
block, it works fine. I’m confident about my cookie I set in postman.
This seems like this isses: https://stackoverflow.com/questions/55843939/istio-virtual-service-match-uri-and-cookie-not-working which has never been answered
Turns out the regex was wrong
kuat
February 28, 2020, 9:46pm
7
As Mixer has been deprecated in 1.5, please consider using authorization policy to allow/deny requests.