When using Istio on EKS, how can I restrict the IPs in the security group rules that are created?
I just setup Istio on EKS. I noticed that the gateway controller (is that what I should call it?) creates an ELB and a corresponding security group that allows incoming traffic on a few different ports:
Right now, all of these rules allow traffic from everywhere (0.0.0.0/0), but I'd like to be able to restrict this to my VPN server. Is there a way to specify a security group id (ideally), or at least an IP for these rules?
Similar Questions
1 Answer
There is a way to specify the Source IP for Inbound Rules of default Istio's Ingress Gateway during installation/upgrade of Istio via Helm.
You realize it by adjusting default values of Service object kind associated with your istio-ingressgateway pod:
Here is how I'm doing it via Helm install:
- Install with helm using --set option to override default values (here default values of 'gateways' subcharts):
$ helm install install/kubernetes/helm/istio --name istio-maxi --namespace istio-system \ --set gateways.istio-ingressgateway.loadBalancerSourceRanges=143.231.0.0/16
- Here are the resulting Inbound Rules of ELB standing in front of Istio Ingress Gateway seen in AWS console:
Important note:
The loadBalancerSourceRanges field is available by now still in a Pre-release state (1.1.0-snapshot.5) of Istio helm chart