We would like to use Istio for achieving blocking of egress access from applications and to have an allow-list/block-list of IP Addresses and CIDR blocks. Are there any solutions possible using Istio?
-Renjith
Asked
Active
Viewed 740 times
1
-
What exactly you mean by `blocking of egress access from applications`? Allow/block any ip's for selected application? AFAIK you could use [authorization policy](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Source) with ipBlocks/notIpBlocks to do that, [there](https://istio.io/latest/docs/tasks/security/authorization/authz-ingress/) is an example. Another option would be to use [envoy filter](https://istio.io/latest/docs/reference/config/networking/envoy-filter/), [there](https://stackoverflow.com/a/63682724/11977760) is an example. – Jakub Oct 02 '20 at 11:19
-
I think he means EgressGateway https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/ – Chris Oct 02 '20 at 13:18
-
I meant, how to block egress traffic to specific IP for the traffic exiting the mesh. If this can be achieved through egree-gateway, that also is sufficient. I was also wondering, when running this in a hyperscaler, do we really need an egress gateway or can't the external traffic exit the mesh from the local nodes and directly go the cloud providers NAT gateway. – Renjith Pillai Oct 03 '20 at 19:16
1 Answers
1
We would like to use Istio for achieving blocking of egress access from applications
I think you could use REGISTRY_ONLY outboundTrafficPolicy.mode for that.
Istio has an installation option, meshConfig.outboundTrafficPolicy.mode, that configures the sidecar handling of external services, that is, those services that are not defined in Istio’s internal service registry. If this option is set to ALLOW_ANY, the Istio proxy lets calls to unknown services pass through. If the option is set to REGISTRY_ONLY, then the Istio proxy blocks any host without an HTTP service or service entry defined within the mesh. ALLOW_ANY is the default value, allowing you to start evaluating Istio quickly, without controlling access to external services. You can then decide to configure access to external services later.
More about that here and here.
and to have an allow-list/block-list of IP Addresses and CIDR blocks.
AFAIK the only way to create an allow/block list in istio is with AuthorizationPolicy or EnvoyFilter.
I have found few examples where they used AuthorizationPolicy with egress gateway, for example here.
They just changed the AuthorizationPolicy label from app: istio-ingressgateway to app: istio-egressgateway.
spec:
selector:
matchLabels:
app: istio-egressgateway
I was looking for any example with ip/cidr, but I couldn't find anything, so I'm not sure if that's gonna work with the egress gateway.
Additional resources:
- https://istio.io/latest/docs/tasks/security/authorization/authz-ingress/#ip-based-allow-list-and-deny-list
- Istio authorization policy not applying on child gateway
- https://istio.io/latest/docs/reference/config/security/authorization-policy/#Source
- https://github.com/salrashid123/istio_helloworld#egress-rules
Jakub
- 8,189
- 1
- 17
- 31