Istio Virtual Service: only allow certain api's to be accessed by a list of Ip addresses

8/14/2019

I have two virtual service config files that get merged into one by istio.

I want a specific API (accounts/v1/invites) to only be accessed by a list of client ip addresses.

This API is will only be called by an external backend server and I want to restrict the ability for the that api to be called by only the IP addresses I list.

My assumption was that listing the ip addresses in the host parameter would enforce this restriction but instead I am not able to access the api at all.

Am I configuring it correctly or am I making a grossly incorrect assumption ?

--- Virtual Service yaml ---

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: mp-server-virtualservice
spec:
  hosts:
  - "*"
  gateways:
  - mp-server-gateway              
  http:
  - match:
    - uri:
        exact: /private/api
    - uri:
        exact: /private/graphiql
    - uri:
        exact: /public/api
    route:
    - destination:
        host: mp-server
        port:
          number: 4000
    corsPolicy:
      allowOrigin:
        - 'https://xxxxxxx.com'
      allowMethods:
        - POST
        - GET
        - OPTIONS
      allowHeaders:
        - content-type
        - namespace
        - authorization
      maxAge: 500s
      allowCredentials: true

---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: mp-server-virtualservice-machine2machine
spec:
  hosts:
  - "138.91.154.99"
  - "54.183.64.135"
  - "54.67.77.38"
  - "54.67.15.170"
  - "54.183.204.205"
  - "54.173.21.107"
  - "54.85.173.28"
  - "35.167.74.121"
  - "35.160.3.103"
  - "35.166.202.113"
  - "52.14.40.253"
  - "52.14.38.78"
  - "52.14.17.114"
  - "52.71.209.77"
  - "34.195.142.251"
  - "52.200.94.42"
  gateways:
  - mp-server-gateway              
  http:
  - match:
    - uri:
        exact: /accounts/v1/invites
    route:
    - destination:
        host: mp-server
        port:
          number: 4000

--- Gateway yaml ---

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: mp-server-gateway
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    tls:
      httpsRedirect: true
    hosts:
    - "*"
  - port:
      number: 443
      name: https-443
      protocol: HTTPS
    tls:
      mode: SIMPLE
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key
    hosts:
    - "*"
-- john
istio
kubernetes

1 Answer

8/16/2019

I'm afraid that Istio's way of IP based white/black listing access to services inside the mesh is through the usage of listchecker of IP_ADDRESSES type. Please check the example here.

According to the documentation (Traffic Management) the hosts under virtual service’s hosts should hold DNS name (not IP address), that needs to resolve to FQDN by cluster DNS server.

-- Nepomucen
Source: StackOverflow