I have two virtual service config files that get merged into one by istio.
I want a specific API (accounts/v1/invites) to only be accessed by a list of client ip addresses.
This API is will only be called by an external backend server and I want to restrict the ability for the that api to be called by only the IP addresses I list.
My assumption was that listing the ip addresses in the host parameter would enforce this restriction but instead I am not able to access the api at all.
Am I configuring it correctly or am I making a grossly incorrect assumption ?
--- Virtual Service yaml ---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: mp-server-virtualservice
spec:
hosts:
- "*"
gateways:
- mp-server-gateway
http:
- match:
- uri:
exact: /private/api
- uri:
exact: /private/graphiql
- uri:
exact: /public/api
route:
- destination:
host: mp-server
port:
number: 4000
corsPolicy:
allowOrigin:
- 'https://xxxxxxx.com'
allowMethods:
- POST
- GET
- OPTIONS
allowHeaders:
- content-type
- namespace
- authorization
maxAge: 500s
allowCredentials: true
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: mp-server-virtualservice-machine2machine
spec:
hosts:
- "138.91.154.99"
- "54.183.64.135"
- "54.67.77.38"
- "54.67.15.170"
- "54.183.204.205"
- "54.173.21.107"
- "54.85.173.28"
- "35.167.74.121"
- "35.160.3.103"
- "35.166.202.113"
- "52.14.40.253"
- "52.14.38.78"
- "52.14.17.114"
- "52.71.209.77"
- "34.195.142.251"
- "52.200.94.42"
gateways:
- mp-server-gateway
http:
- match:
- uri:
exact: /accounts/v1/invites
route:
- destination:
host: mp-server
port:
number: 4000
--- Gateway yaml ---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: mp-server-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
tls:
httpsRedirect: true
hosts:
- "*"
- port:
number: 443
name: https-443
protocol: HTTPS
tls:
mode: SIMPLE
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
privateKey: /etc/istio/ingressgateway-certs/tls.key
hosts:
- "*"
I'm afraid that Istio's way of IP based white/black listing access to services inside the mesh is through the usage of listchecker of IP_ADDRESSES type. Please check the example here.
According to the documentation (Traffic Management) the hosts
under virtual service’s hosts should hold DNS name (not IP address), that needs to resolve to FQDN by cluster DNS server.