Problem Description
When services are under attack, or services are only allowed to be accessed under certain IPs, the usual practice is to set up IP White/Black Listing for the service.
Solution
Let’s take httpbin as an example to illustrate how to use AuthorizationPolicy in Istio to set the IP White/Black Listing for the service.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# httpbin.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: httpbin
spec:
hosts:
- "httpbin.makeoptim.com"
gateways:
- gateway/makeoptim-gateway
http:
- route:
- destination:
port:
number: 8000
host: httpbin
---
apiVersion: v1
kind: Service
metadata:
name: httpbin
labels:
app: httpbin
spec:
ports:
- name: http
port: 8000
selector:
app: httpbin
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: httpbin
spec:
replicas: 1
selector:
matchLabels:
app: httpbin
version: v1
template:
metadata:
labels:
app: httpbin
version: v1
spec:
containers:
- image: docker.io/citizenstig/httpbin
imagePullPolicy: IfNotPresent
name: httpbin
ports:
- containerPort: 8000
After deploying httpbin, you can directly access it.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
❯ curl httpbin.makeoptim.com/get
{
"args": {},
"headers": {
"Accept": "*/*",
"Content-Length": "0",
"Host": "httpbin.makeoptim.com",
"User-Agent": "curl/7.64.1",
"X-B3-Parentspanid": "50419cd0b3ae983a",
"X-B3-Sampled": "0",
"X-B3-Spanid": "5a0bbd2e611fa59e",
"X-B3-Traceid": "33c8c481a13746c050419cd0b3ae983a",
"X-Envoy-Attempt-Count": "1",
"X-Envoy-External-Address": "38.75.137.213",
"X-Forwarded-Client-Cert": "By=spiffe://cluster.local/ns/default/sa/default;Hash=abb1a2a76a04fe7476cd38738e98a228b39dbf6a88936fd249ee23839ec98234;Subject=\"\";URI=spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account",
"X-Request-Id": "2fe85688-cf60-4f61-b9bb-25e354625124"
},
"origin": "38.75.137.213",
"url": "http://httpbin.makeoptim.com/get"
}
Next, set an IP Black Listing for the httpbin service, so that some IPs cannot access httpbin.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: ingress-policy
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
action: DENY
rules:
- from:
- source:
ipBlocks: ["38.75.137.213"]
to:
- operation:
hosts:
- httpbin.makeoptim.com
Here, my IP is 38.75.137.213, and in AuthorizationPolicy, DENY is set and points to httpbin.makeoptim.com.
At this time, if you visit httpbin.makeoptim.com again, it will return RBAC: access denied, indicating that the IP Black Listing has been successfully set.
1
2
❯ curl httpbin.makeoptim.com/get
RBAC: access denied
Note:
ipBlockscan support a single IP (eg “1.2.3.4”) and CIDR (eg “1.2.3.0/24”), see https://istio.io/latest/docs/reference/config/security/authorization for details -policy/#Source.The above example is to set the IP Black Listing. The IP White Listing is actually very simple. It is to change
DENYtoALLOW. For more settings, please refer to https://istio.io/latest/docs/reference/config /security/authorization-policy/.
to/operation/hostscan specify certainhostsso that only certain services can be black and whitelisted without affecting the entire service mesh.
ALLOWandDENYcan be used in multiple combinations to meet business needs, see https://istio.io/latest/docs/concepts/security/#authorization for details.
Istio 常见问题 - 如何为服务设置 IP 黑白名单