Reputation: 109
Istio Authorization Policy IP whitelisting
Does anyone know how to do IP whitelisting properly with Istio Authorization policy? I was able to follow this https://istio.io/latest/docs/tasks/security/authorization/authz-ingress/ to setup whitelisting on the gateway. However, is there a way to do this on a specific workload with selector? like this:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: app-ip-whitelisting
namespace: foo
spec:
selector:
matchLabels:
app: app1
rules:
- from:
- source:
IpBlocks:
- xx.xx.xx.xx
I was not able to get this to work. And I am using Istio 1.6.8
Upvotes: 0
Views: 2067
Answers (1)
Reputation: 335
I'm running Istio 1.5.6 and the following is working (whitelisting) : only IP adresses in ipBlocks are allowed to execute for the specified workload, other IP's get response code 403. I find the term ipBlocks confusing : it is not blocking anything. If you want to block certain ip's (blacklisting) you 'll need to use notIpBlocks
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: peke-echo-v1-ipblock
namespace: peke-echo-v1
spec:
selector:
matchLabels:
app: peke-echo-v1
version: v1
rules:
- from:
- source:
ipBlocks:
- 173.18.180.128
- 173.18.191.159
- 173.20.58.39
ipBlocks in lower camelcase
Sometimes it takes a while before the policy is effective.
Upvotes: 1
Related Questions
- Configuring EnvoyFilter in Istio for "set_current_client_cert_details"
- Multiple Istio Request Authentication Policies
- Questions about istio external authorization
- How to communicate securely to a k8s service via istio?
- simple envoy filter not being used
- Configure Istio Ingress Gateway to require header token using Authorization Policy
- Istio AuthorizationPolicy only for external requests
- Whitelisting IP addresses for network traffic through Istio gateways
- Istio to outside cluster communication issue
- ISTIO allow all outbound traffic to a DOMAIN