0

I've currently deployed a small application which consists of multiple pods as well as a k8s service to connect to it. Due to some limitations of the service, it's not possible to inject the istio sidecar. At the moment, I've configured ingress via an istio Gateway + VirtualService, which works as expected. I would now like to add an AuthorizationPolicy to restrict access to a certain set of IP ranges.

Is this possible? As I understand it, istio handles authentication in the sidecar proxy, so I'm wondering whether there's another way to do this.

BStadlbauer
  • 1,287
  • 6
  • 18
  • Are you looking for "notIpBlocks" in authorization policy the following link has details https://istio.io/latest/docs/reference/config/security/authorization-policy/#Source – Nataraj Medayhal Mar 28 '23 at 07:26
  • It is the Envoy Proxy that carries out the Authn and Authz through the Istio Agent that runs next to it. It uses X.509 certificates based on the workload's ServiceAccount (PeerAuthentication) or on JWT (RequestAuthentication) attached to the request when comming from end user. – RicHincapie Mar 28 '23 at 13:36

0 Answers0