K
Q

Whitelisting IP addresses for network traffic through Istio gateways

4/19/2019

I tried whitelisting IP address/es in my kubernetes cluster's incoming traffic using this example :

Although this works as expected, wanted to go a step further and try if I can use istio gateways or virtual service when I set up Istio rule, instead of Loadbalancer(ingressgateway).

apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
  name: checkip
  namespace: my-namespace
spec:
  match: source.labels["app"] == "my-app"
  actions:
  - handler: whitelistip.listchecker
    instances:
    - sourceip.listentry
---

Where my-app is of kind: Gateway with a certain host and port, and labelled app=my-app.

Am using istio version 1.1.1 Also my cluster has all the istio-system running with envoy sidecars on almost all service pods.

-- AdityaHandadi
istio
kubernetes
whitelist

Similar Questions

FailedAttachVolume error on Kubernetes with StorageOS
Grabbing a pod's IP address from another pod
Kubernetes Master Worker Node Kubeadm Join issue
Installation error with Istio 1.1.3 and Kubernetes 1.13.5
How to expose nginx in Minikube to outside
Getting ImagePullBackOff when starting a POD is AWS EKS

1 Answer

5/30/2019

You confuse one thing that, in above rule, match: source.labels["app"] == "my-app" is not referring to any resource's label, but to pod's label.

From OutputTemplate Documentation:

sourceLabels | Refers to source pod labels. attributebindings can refer to this field using $out.sourcelabels

And you can verify by looking for resources with "app=istio-ingressgateway" label via:

kubectl get pods,svc -n istio-system -l "app=istio-ingressgateway" --show-labels

You can check this blog from istio about Mixer Adapter Model, to understand complete mixer model, its handlers,instances and rules.

Hope it helps!

-- coolinuxoid
Source: StackOverflow