DevOps Blog - Nicolas Paris

Whitelist IPs with Istio on Kubernetes

DevOps

This is a simple example of a whitelist with multiple path for Istio.
In this case we want to restrict every IP and add an IP and a range on every URL except for some webhook URL that will be public.

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: ingress-policy
spec:
selector:
matchLabels:
{{- include "my-application.selectorLabels" . | nindent 6 }}
action: ALLOW
rules:
- from:
- source:
remoteIpBlocks:
- "35.0.0.0" # Some IP
- "35.0.0.0/24" # Some range IP
- from:
- source:
remoteIpBlocks:
- "0.0.0.0/0" # public pour webhook
to:
- operation:
methods: [POST', 'PUT', 'DELETE']
paths: ["/api/webhook/*"]

Hope it can helps.