Istio FAQ - Set up IP White/Black Listing for services

中文阅读

Problem Description

When services are under attack, or services are only allowed to be accessed under certain IPs, the usual practice is to set up IP White/Black Listing for the service.

Solution

Let’s take httpbin as an example to illustrate how to use AuthorizationPolicy in Istio to set the IP White/Black Listing for the service.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# httpbin.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: httpbin
spec:
  hosts:
    - "httpbin.makeoptim.com"
  gateways:
    - gateway/makeoptim-gateway
  http:
    - route:
        - destination:
            port:
              number: 8000
            host: httpbin
---
apiVersion: v1
kind: Service
metadata:
  name: httpbin
  labels:
    app: httpbin
spec:
  ports:
    - name: http
      port: 8000
  selector:
    app: httpbin
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: httpbin
spec:
  replicas: 1
  selector:
    matchLabels:
      app: httpbin
      version: v1
  template:
    metadata:
      labels:
        app: httpbin
        version: v1
    spec:
      containers:
        - image: docker.io/citizenstig/httpbin
          imagePullPolicy: IfNotPresent
          name: httpbin
          ports:
            - containerPort: 8000

After deploying httpbin, you can directly access it.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
❯ curl httpbin.makeoptim.com/get
{
  "args": {},
  "headers": {
    "Accept": "*/*",
    "Content-Length": "0",
    "Host": "httpbin.makeoptim.com",
    "User-Agent": "curl/7.64.1",
    "X-B3-Parentspanid": "50419cd0b3ae983a",
    "X-B3-Sampled": "0",
    "X-B3-Spanid": "5a0bbd2e611fa59e",
    "X-B3-Traceid": "33c8c481a13746c050419cd0b3ae983a",
    "X-Envoy-Attempt-Count": "1",
    "X-Envoy-External-Address": "38.75.137.213",
    "X-Forwarded-Client-Cert": "By=spiffe://cluster.local/ns/default/sa/default;Hash=abb1a2a76a04fe7476cd38738e98a228b39dbf6a88936fd249ee23839ec98234;Subject=\"\";URI=spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account",
    "X-Request-Id": "2fe85688-cf60-4f61-b9bb-25e354625124"
  },
  "origin": "38.75.137.213",
  "url": "http://httpbin.makeoptim.com/get"
}

Next, set an IP Black Listing for the httpbin service, so that some IPs cannot access httpbin.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: ingress-policy
  namespace: istio-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
  action: DENY
  rules:
    - from:
        - source:
            ipBlocks: ["38.75.137.213"]
      to:
        - operation:
            hosts:
              - httpbin.makeoptim.com

Here, my IP is 38.75.137.213, and in AuthorizationPolicy, DENY is set and points to httpbin.makeoptim.com.

At this time, if you visit httpbin.makeoptim.com again, it will return RBAC: access denied, indicating that the IP Black Listing has been successfully set.

1
2
❯ curl httpbin.makeoptim.com/get
RBAC: access denied

Note:

Reference

Further reading

CatchZeng
Written by CatchZeng Follow
AI (Machine Learning) and DevOps enthusiast.