I'm using Kubernetes service in Alibaba Cloud, kubernetes server version is v1.14.8-aliyun.1 while istio version is 1.2.7.
From this istio official tutorial(https://istio.io/docs/tasks/policy-enforcement/denial-and-list/), I learnt how to block a single ip from istio ingress gateway. I apply these rule, instance and handler in istio-system namespace and my public ip was blocked successfully.
Then I try to use similar concept to do geo ip blocking. First I get the country IPs list from GeoLite2 database provided by MaxMind, then i parse those IPs into multiple handler files(3000 ip list per file as there is a resource size limit in kubernetes). Eventually let's say I want to block IP from US, I will have around 500 handler files generated from 25MB US-IP.txt. Now when I apply these resources into kubernetes, when I observe Istio Mixer log, I can see the following error:
Error receiving MCP response: rpc error: code = ResourceExhausted desc = grpc: received message larger than max (4623689 vs. 4194304)
I tried to set the Istio Mixer MaxMessageSize to 30MB, but still getting this error. Looks like this 4MB is the limit from golang grpc library.
Can anyone please give me an idea how to do geo ip blocking with istio ingress gateway? Step to reproduce this issue is included in https://github.com/heylong6551/istio-issue.
Thanks in advance.