Whitelisting IP addresses for network traffic through Istio gateways

4/19/2019

I tried whitelisting IP address/es in my kubernetes cluster's incoming traffic using this example :

Although this works as expected, wanted to go a step further and try if I can use istio gateways or virtual service when I set up Istio rule, instead of Loadbalancer(ingressgateway).

apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
  name: checkip
  namespace: my-namespace
spec:
  match: source.labels["app"] == "my-app"
  actions:
  - handler: whitelistip.listchecker
    instances:
    - sourceip.listentry
---

Where my-app is of kind: Gateway with a certain host and port, and labelled app=my-app.

Am using istio version 1.1.1 Also my cluster has all the istio-system running with envoy sidecars on almost all service pods.

-- AdityaHandadi
istio
kubernetes
whitelist

1 Answer

5/30/2019

You confuse one thing that, in above rule, match: source.labels["app"] == "my-app" is not referring to any resource's label, but to pod's label.

From OutputTemplate Documentation:

sourceLabels | Refers to source pod labels. attributebindings can refer to this field using $out.sourcelabels

And you can verify by looking for resources with "app=istio-ingressgateway" label via:

kubectl get pods,svc -n istio-system -l "app=istio-ingressgateway" --show-labels

You can check this blog from istio about Mixer Adapter Model, to understand complete mixer model, its handlers,instances and rules.

Hope it helps!

-- coolinuxoid
Source: StackOverflow