Whitelist IPs with Istio on Kubernetes

Accept a specific IP on a given website is a basic security needed that can be done easely with Istio on a Kubernetes cluster. In this blog post, we will see how to whitelist an IP using the AuthorizationPolicy Istio Object.

In the first approch, we will allow only few IPs on the entire website. In the second example, we will add a public endpoint for API in a subsite of the code.

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: ingress-policy
spec:
  selector:
    matchLabels:
      {{- include "my-application.selectorLabels" . | nindent 6 }}
  action: ALLOW
  rules:
  - from:
    - source:
        remoteIpBlocks:
            - "35.0.0.0" # Some IP
            - "35.0.0.0/24" # Some range IP

Because you can have any rules you want, you can specify an endpoint with a public access.

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: ingress-policy
spec:
  selector:
    matchLabels:
      {{- include "my-application.selectorLabels" . | nindent 6 }}
  action: ALLOW
  rules:
  - from:
    - source:
        remoteIpBlocks:
            - "35.0.0.0" # Some IP
            - "35.0.0.0/24" # Some range IP
  - from:
    - source:
        remoteIpBlocks:
            - "0.0.0.0/0" # public pour webhook
    to:
    - operation:
        methods: [POST', 'PUT', 'DELETE']
        paths: ["/api/webhook/*"]

I hope this information was helpful in your journey to secure your Kubernetes application with Istio and whitelist specific IPs. Stay secure and happy coding!

• Next: Deploy on Firebase Hosting in a Gitlab CICD with staging and production
• Previous: Sync and Backup Obsidian Vault with Azure files