I have to use multiple gateways which are namespace wise where as, every namespace has its own AuthorizationPolicy either to allow the traffic or DENY the traffic on IP based block
e.g
my default gateway from istio-system namespace should not have any ip blocklist, it should be open to *.xyz.xyz domain:
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
labels:
argocd.argoproj.io/instance: istio-ingressgateway
name: istio-gateway
namespace: istio-system
spec:
selector:
istio: gateway
servers:
- hosts:
- *.xyz.xyz
port:
name: http
number: 80
protocol: HTTP
tls:
httpsRedirect: true
- hosts:
- *.xyz.xyz
port:
name: https
number: 443
protocol: HTTPS
tls:
credentialName: tls-wildcard-cert2
mode: SIMPLE
where as my another application need ip filtering that only allowed ips can access that internal application like:
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: canary-gateway
namespace: canary
spec:
selector:
istio: gateway
servers:
- hosts:
- canary.xyz.xyz
port:
name: http
number: 80
protocol: HTTP
tls:
httpsRedirect: true
- hosts:
- canary.xyz.xyz
port:
name: https
number: 443
protocol: HTTPS
tls:
credentialName: tls-wildcard-cert2
mode: SIMPLE
---
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: canary-ip-whitelist
namespace: canary
spec:
selector:
matchLabels:
app: frontend
action: ALLOW
rules:
- from:
- source:
ipBlocks: ["45.252.72.179/32", "27.107.31.42/30"]
the matchLabels for my service and deployment is like:
apiVersion: apps/v1
kind: Deployment
metadata:
name: frontend
labels:
app: frontend
version: v1
spec:
replicas: 3
selector:
matchLabels:
app: frontend
version: v1
template:
metadata:
labels:
app: frontend
version: v1
annotations:
sidecar.istio.io/rewriteAppHTTPProbers: "true"
sidecar.istio.io/inject: 'true'
spec:
serviceAccountName: frontend-test
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
containers:
- name: server
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
image: gcr.io/google-samples/microservices-demo/frontend:v0.9.0
ports:
- containerPort: 8080
readinessProbe:
initialDelaySeconds: 10
httpGet:
path: "/_healthz"
port: 8080
httpHeaders:
- name: "Cookie"
value: "shop_session-id=x-readiness-probe"
livenessProbe:
initialDelaySeconds: 10
httpGet:
path: "/_healthz"
port: 8080
httpHeaders:
- name: "Cookie"
value: "shop_session-id=x-liveness-probe"
env:
- name: PORT
value: "8080"
- name: PRODUCT_CATALOG_SERVICE_ADDR
value: "productcatalogservice:3550"
- name: CURRENCY_SERVICE_ADDR
value: "currencyservice:7000"
- name: CART_SERVICE_ADDR
value: "cartservice:7070"
- name: RECOMMENDATION_SERVICE_ADDR
value: "recommendationservice:8080"
- name: SHIPPING_SERVICE_ADDR
value: "shippingservice:50051"
- name: CHECKOUT_SERVICE_ADDR
value: "checkoutservice:5050"
- name: AD_SERVICE_ADDR
value: "adservice:9555"
# # ENV_PLATFORM: One of: local, gcp, aws, azure, onprem, alibaba
# # When not set, defaults to "local" unless running in GKE, otherwies auto-sets to gcp
# - name: ENV_PLATFORM
# value: "aws"
- name: ENABLE_PROFILER
value: "0"
# - name: CYMBAL_BRANDING
# value: "true"
# - name: FRONTEND_MESSAGE
# value: "Replace this with a message you want to display on all pages."
# As part of an optional Google Cloud demo, you can run an optional microservice called the "packaging service".
# - name: PACKAGING_SERVICE_URL
# value: "" # This value would look like "http://123.123.123"
resources:
requests:
cpu: 100m
memory: 64Mi
limits:
cpu: 200m
memory: 128Mi
---
apiVersion: v1
kind: Service
metadata:
name: frontend
labels:
app: frontend
service: frontend
spec:
type: ClusterIP
selector:
app: frontend
ports:
- name: http
port: 80
targetPort: 8080
i need to configure ip whitelisting and blocklisting for multiple namespaces which has multiple gateways
New contributor
Ashish Mahamuni is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.