LISHUANGTAI

聚沙成塔

0%

istio实现IP白名单

Posted on Edited on

istio实现IP白名单

一种结合IP_TAGGING,另一种方式直接判断header中的X-FORWARDED-FOR

配置SVC

ingress-gateway service的Type=Loadbalancer时,需要增加加以下配置,X-FORWARDED-FOR才会是真实的远程IP

1
externalTrafficPolicy: Local

1. 结合IP_TAGGING

配置 AuthorizationPolicy

namespace为 root(istio-system),需要通过selector限制策略应用在istio-ingressgateway

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: ip-white-list
 namespace: istio-system # “metadata/namespace” tells which namespace the policy applies. If set to root namespace, the policy applies to all namespaces in a mesh.
spec:
 selector:
   matchLabels:
     app: istio-ingressgateway
     istio: ingressgateway
 action: DENY
 rules:
 - to:
    - operation:
       hosts: 
       - "*-host.cn"
   when:
   - key: request.headers[x-envoy-ip-tags]
     notValues: # 与ip_tagging配合使用
      - "white-list-ip"

ip_tagging

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: ip-white-list
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      app: istio-ingressgateway
      istio: ingressgateway
  configPatches:
  - applyTo: HTTP_FILTER
    match:
      context: GATEWAY
      listener:
        portNumber: 443
        filterChain:
          filter:
            name: "envoy.http_connection_manager"
            subFilter:
              name: "envoy.filters.http.rbac"
    patch:
      operation: INSERT_BEFORE
      value:
       name: envoy.ip_tagging # https://github.com/envoyproxy/envoy/issues/5267#issuecomment-596909572
       typed_config: 
         "@type": "type.googleapis.com/envoy.config.filter.http.ip_tagging.v2.IPTagging"
         request_type: BOTH
         ip_tags:
            - ip_tag_name: white-list-ip
              ip_list:
                - address_prefix: 202.220.211.211

2. 使用x-forwarded-for

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: allow-from-manqian
 namespace: istio-system # “metadata/namespace” tells which namespace the policy applies. If set to root namespace, the policy applies to all namespaces in a mesh.
spec:
 selector:
   matchLabels:
     app: istio-ingressgateway
     istio: ingressgateway
 action: DENY
 rules:
 # - from: # see: https://github.com/envoyproxy/envoy/issues/5267
 #   - source:
 #       notIpBlocks: 
 #        - 58.250.159.235 # 深圳办公室联通线
 #        - 113.90.38.174
 - to:
    - operation:
       hosts: 
       - "*-grpc.manqian.cn"
   when:
    - key: request.headers[X-FORWARDED-FOR]
      notValues:
       - 58.250.159.235
       - 113.90.38.174

目前 source.ip 不会根据 x-forwarded-for 获取真实ip,不能直接使用 soure.ipBlocks 实现外网IP白名单

参考