Whitelist IPs with Istio on Kubernetes
DevOpsAccept a specific IP on a given website is a basic security needed that can be done easely with Istio on a Kubernetes cluster. In this blog post, we will see how to whitelist an IP using the AuthorizationPolicy Istio Object.
In the first approch, we will allow only few IPs on the entire website. In the second example, we will add a public endpoint for API in a subsite of the code.
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: ingress-policy
spec:
selector:
matchLabels:
{{- include "my-application.selectorLabels" . | nindent 6 }}
action: ALLOW
rules:
- from:
- source:
remoteIpBlocks:
- "35.0.0.0" # Some IP
- "35.0.0.0/24" # Some range IP
Because you can have any rules you want, you can specify an endpoint with a public access.
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: ingress-policy
spec:
selector:
matchLabels:
{{- include "my-application.selectorLabels" . | nindent 6 }}
action: ALLOW
rules:
- from:
- source:
remoteIpBlocks:
- "35.0.0.0" # Some IP
- "35.0.0.0/24" # Some range IP
- from:
- source:
remoteIpBlocks:
- "0.0.0.0/0" # public pour webhook
to:
- operation:
methods: [POST', 'PUT', 'DELETE']
paths: ["/api/webhook/*"]
I hope this information was helpful in your journey to secure your Kubernetes application with Istio and whitelist specific IPs. Stay secure and happy coding!