Search code examples
istio

How to set ingress-policy to allow limited IP with Istio?

From the document Authorization on Ingress Gateway, I set an ingress-policy as this

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: ingress-policy
  namespace: istio-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
  action: ALLOW
  rules:
  - from:
    - source:
       ipBlocks: ["ALLOWED PUBLIC IP HERE"]

I got my public IP from WhatIsMyIPAddress, set it in the ipBlocks above.

After applied the manifest, when I access my site from browser, it showed RBAC access denied.

My applications are deployed in the default namespace, is it correct to use namespace: istio-system in the metadata? And how to see the access logs for debugging?

What's the right way to set an IP filter?

Check Istio's ingressgateway log got

kubectl logs istio-ingressgateway-111111111111-aaaaa -n istio-system
...
[2021-12-20T05:10:58.600Z] "GET /healthz/ready HTTP/1.1" 403 - rbac_access_denied_matched_policy[none] - "-" 0 19 0 - "10.123.45.123" "ELB-HealthChecker/2.0" "11111111-aaaa-3333-cccc-555555555555" "10.123.45.123:30974" "-" outbound|80||demo-service.default.svc.cluster.local - 10.123.45.123:8443 10.148.45.200:22429 - -
[2021-12-20T05:10:58.601Z] "GET /healthz/ready HTTP/1.1" 403 - rbac_access_denied_matched_policy[none] - "-" 0 19 0 - "10.123.45.200" "ELB-HealthChecker/2.0" "22222222-bbbb-4444-dddd-666666666666" "10.123.45.200:30974" "-" outbound|80||demo-service.default.svc.cluster.local - 10.123.45.123:8443 10.123.45.200:15566 - -
2021-12-20T05:29:09.478225Z     info    xdsproxy        connected to upstream XDS server: istiod.istio-system.svc:15012

Why rbac_access_denied_matched_policy is none here? I'm not using rbac in the K8s cluster. Is it necessary to use it in this case? Role Based Access Control (RBAC) Filter

edit

Got new logs from Istio's ingress gateway

...
2021-12-21T03:36:41.819072Z     debug   envoy rbac      checking request: requestedServerName: , sourceIP: 10.123.45.111:25965, directRemoteIP: 10.123.45.111:25965, remoteIP: 10.123.45.111:25965,localAddress: 10.123.46.222:8443, ssl: uriSanPeerCertificate: , dnsSanPeerCertificate: , subjectPeerCertificate: , headers: ':authority', '10.123.45.111:30974'
':path', '/healthz/ready'
':method', 'GET'
':scheme', 'https'
'user-agent', 'ELB-HealthChecker/2.0'
'accept-encoding', 'gzip, compressed'
'x-forwarded-for', '10.123.45.111'
'x-forwarded-proto', 'https'
'x-envoy-internal', 'true'
'x-request-id', '123412231a-cb12-9732-859e-0213jladfsj9'
'x-envoy-decorator-operation', 'demo-service.default.svc.cluster.local:80/*'
, dynamicMetadata:
2021-12-21T03:36:41.819091Z     debug   envoy rbac      enforced allowed, matched policy none
Solution

  • The remote IP address is not passed to the gateway by default. To use the external IP address in your AuthorizationPolicy you can change the externalTrafficPolicy of the Ingress gateway. For testing you can use the following:

    kubectl patch svc istio-ingressgateway -n istio-system -p '{"spec":{"externalTrafficPolicy":"Local"}}'

    If this works you should add this to your IstioOperator (or create one) and apply it when installing Istio.

    If you don't want to change the TrafficPolicy you might be able to accomplish it by using remoteIpBlocks instead of ipBlocks in the AuthorizationPolicy. But I did not try this yet myself, for reference: https://istio.io/latest/docs/tasks/security/authorization/authz-ingress/#ip-based-allow-list-and-deny-list