Skip to content

Instantly share code, notes, and snippets.

@analytik

analytik/istio_ip_whitelist.sh

Created February 25, 2020 08:22
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save analytik/69780da3524c8ec595e846f14be864ac to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save analytik/69780da3524c8ec595e846f14be864ac to your computer and use it in GitHub Desktop.
Download ZIP
How to create an IP whitelist for Istio
Raw
istio_ip_whitelist.sh
# Whitelist office IP's only
kubectl -n istio-system patch svc istio-ingressgateway -p '{"spec":{"externalTrafficPolicy": "Local"}}'
ingressgatewaypod=$(kubectl -n istio-system get pods -l app=istio-ingressgateway -o name | cut -d / -f 2)
kubectl -n istio-system delete pod $ingressgatewaypod
# If this rule needs changing then delete previous isntances beforehand, otherwise it does not seem to be picked up
# kubectl -n istio-system delete handler whitelistip
# kubectl -n istio-system delete instance sourceip
# kubectl -n istio-system delete rule checkip
kubectl apply -f - <<EOF
apiVersion: config.istio.io/v1alpha2
kind: handler
metadata:
name: whitelistip
namespace: istio-system
spec:
compiledAdapter: listchecker
params:
blacklist: false
entryType: IP_ADDRESSES
overrides:
- 123.123.123.123
---
apiVersion: config.istio.io/v1alpha2
kind: instance
metadata:
name: sourceip
namespace: istio-system
spec:
compiledTemplate: listentry
params:
value: request.headers["x-envoy-external-address"] | "0.0.0.0"
---
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
name: checkip
namespace: istio-system
spec:
actions:
- handler: whitelistip
instances:
- sourceip
match: (source.labels["istio"] | "") == "ingressgateway" && (request.headers["x-envoy-external-address"] | "") !=""
EOF
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment