Created
January 16, 2024 13:13
-
-
Save lusoal/bb0e587146e94f9864dc2c323013fb36 to your computer and use it in GitHub Desktop.
How to control ingress traffic using Istio Authorization policy and AWS ALB with routing.http.xff_header_processing.mode=append
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| # Istio ingress Helm Chart | |
| # Name allows overriding the release name. Generally this should not be set | |
| name: "" | |
| # revision declares which revision this gateway is a part of | |
| revision: "" | |
| # Controls the spec.replicas setting for the Gateway deployment if set. | |
| # Otherwise defaults to Kubernetes Deployment default (1). | |
| replicaCount: | |
| kind: Deployment | |
| rbac: | |
| # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed | |
| # when using http://gateway-api.org/. | |
| enabled: true | |
| serviceAccount: | |
| # If set, a service account will be created. Otherwise, the default is used | |
| create: true | |
| # Annotations to add to the service account | |
| annotations: {} | |
| # The name of the service account to use. | |
| # If not set, the release name is used | |
| name: "" | |
| podAnnotations: | |
| prometheus.io/port: "15020" | |
| prometheus.io/scrape: "true" | |
| prometheus.io/path: "/stats/prometheus" | |
| inject.istio.io/templates: "gateway" | |
| sidecar.istio.io/inject: "true" | |
| # Define the security context for the pod. | |
| # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. | |
| # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. | |
| securityContext: ~ | |
| containerSecurityContext: ~ | |
| service: | |
| # Type of service. Set to "None" to disable the service entirely | |
| type: NodePort | |
| ports: | |
| - name: status-port | |
| port: 15021 | |
| protocol: TCP | |
| targetPort: 15021 | |
| - name: http2 | |
| port: 80 | |
| protocol: TCP | |
| targetPort: 80 | |
| - name: https | |
| port: 443 | |
| protocol: TCP | |
| targetPort: 443 | |
| annotations: {} | |
| loadBalancerIP: "" | |
| loadBalancerSourceRanges: [] | |
| externalTrafficPolicy: "" | |
| externalIPs: [] | |
| ipFamilyPolicy: "" | |
| ipFamilies: [] | |
| resources: | |
| requests: | |
| cpu: 100m | |
| memory: 128Mi | |
| limits: | |
| cpu: 2000m | |
| memory: 1024Mi | |
| autoscaling: | |
| enabled: true | |
| minReplicas: 1 | |
| maxReplicas: 5 | |
| targetCPUUtilizationPercentage: 80 | |
| # Pod environment variables | |
| env: {} | |
| # Labels to apply to all resources | |
| labels: {} | |
| # Annotations to apply to all resources | |
| annotations: {} | |
| nodeSelector: {} | |
| tolerations: [] | |
| topologySpreadConstraints: [] | |
| affinity: {} | |
| # If specified, the gateway will act as a network gateway for the given network. | |
| networkGateway: "" | |
| # Specify image pull policy if default behavior isn't desired. | |
| # Default behavior: latest images will be Always else IfNotPresent | |
| imagePullPolicy: "" | |
| imagePullSecrets: [] | |
| # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway. | |
| # | |
| # By default, the `podDisruptionBudget` is disabled (set to `{}`), | |
| # which means that no PodDisruptionBudget resource will be created. | |
| # | |
| # To enable the PodDisruptionBudget, configure it by specifying the | |
| # `minAvailable` or `maxUnavailable`. For example, to set the | |
| # minimum number of available replicas to 1, you can update this value as follows: | |
| # | |
| # podDisruptionBudget: | |
| # minAvailable: 1 | |
| # | |
| # Or, to allow a maximum of 1 unavailable replica, you can set: | |
| # | |
| # podDisruptionBudget: | |
| # maxUnavailable: 1 | |
| # | |
| # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`. | |
| # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows: | |
| # | |
| # podDisruptionBudget: | |
| # minAvailable: 1 | |
| # unhealthyPodEvictionPolicy: AlwaysAllow | |
| # | |
| # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`: | |
| # | |
| # podDisruptionBudget: {} | |
| # | |
| podDisruptionBudget: {} | |
| terminationGracePeriodSeconds: 30 | |
| # A list of `Volumes` added into the Gateway Pods. See | |
| # https://kubernetes.io/docs/concepts/storage/volumes/. | |
| volumes: [] | |
| # A list of `VolumeMounts` added into the Gateway Pods. See | |
| # https://kubernetes.io/docs/concepts/storage/volumes/. | |
| volumeMounts: [] | |
| # Configure this to a higher priority class in order to make sure your Istio gateway pods | |
| # will not be killed because of low priority class. | |
| # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass | |
| # for more detail. | |
| priorityClassName: "" | |
| --- | |
| # Istiod values | |
| meshConfig: | |
| accessLogFile: /dev/stdout | |
| --- | |
| # Kiali Chart | |
| external_services: | |
| istio: | |
| root_namespace: istio-system | |
| component_status: | |
| enabled: true | |
| components: | |
| - app_label: istiod | |
| is_core: true | |
| - app_label: istio-ingressgateway | |
| is_core: true | |
| is_proxy: true | |
| namespace: istio-ingress | |
| --- | |
| # Ingress using AWS Load Balancer Controller to create a public ALB to route traffic to Istio Service | |
| apiVersion: networking.k8s.io/v1 | |
| kind: Ingress | |
| metadata: | |
| namespace: istio-ingress | |
| name: public-ingress-gw | |
| labels: | |
| app: public-ingress-gw | |
| annotations: | |
| kubernetes.io/ingress.class: alb | |
| alb.ingress.kubernetes.io/healthcheck-path: /health | |
| # alb.ingress.kubernetes.io/target-type: ip | |
| alb.ingress.kubernetes.io/scheme: internet-facing | |
| alb.ingress.kubernetes.io/healthcheck-protocol: HTTP | |
| alb.ingress.kubernetes.io/backend-protocol: HTTP | |
| alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}]' | |
| alb.ingress.kubernetes.io/load-balancer-attributes: routing.http.xff_header_processing.mode=append | |
| spec: | |
| ingressClassName: alb | |
| rules: | |
| - http: | |
| paths: | |
| - path: /* | |
| pathType: ImplementationSpecific | |
| backend: | |
| service: | |
| name: istio-ingress # Istio ingress pod | |
| port: | |
| number: 80 | |
| --- | |
| # Istio Authorization Policy | |
| apiVersion: security.istio.io/v1beta1 | |
| kind: AuthorizationPolicy | |
| metadata: | |
| name: ingress-policy | |
| namespace: istio-ingress | |
| spec: | |
| selector: | |
| matchLabels: | |
| istio: ingress # Adjust this to match your Istio Ingress Gateway's label | |
| action: ALLOW | |
| rules: | |
| - from: | |
| - source: | |
| remoteIpBlocks: ["xxx.xxx.xxx.xxx/xx"] |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| # HTTP Bin Deployment and Service | |
| apiVersion: v1 | |
| kind: ServiceAccount | |
| metadata: | |
| name: httpbin | |
| --- | |
| apiVersion: v1 | |
| kind: Service | |
| metadata: | |
| name: httpbin | |
| labels: | |
| app: httpbin | |
| service: httpbin | |
| spec: | |
| ports: | |
| - name: http | |
| port: 8000 | |
| targetPort: 80 | |
| selector: | |
| app: httpbin | |
| --- | |
| apiVersion: apps/v1 | |
| kind: Deployment | |
| metadata: | |
| name: httpbin | |
| spec: | |
| replicas: 1 | |
| selector: | |
| matchLabels: | |
| app: httpbin | |
| version: v1 | |
| template: | |
| metadata: | |
| labels: | |
| app: httpbin | |
| version: v1 | |
| spec: | |
| serviceAccountName: httpbin | |
| containers: | |
| - image: docker.io/kong/httpbin | |
| imagePullPolicy: IfNotPresent | |
| name: httpbin | |
| ports: | |
| - containerPort: 80 | |
| --- | |
| # HTTP Bin Istio gateway and virtual service | |
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: Gateway | |
| metadata: | |
| name: httpbin-gateway | |
| spec: | |
| # The selector matches the ingress gateway pod labels. | |
| # If you installed Istio using Helm following the standard documentation, this would be "istio=ingress" | |
| selector: | |
| istio: ingress | |
| servers: | |
| - port: | |
| number: 80 | |
| name: http | |
| protocol: HTTP | |
| hosts: | |
| - "*" | |
| --- | |
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: VirtualService | |
| metadata: | |
| name: httpbin | |
| spec: | |
| hosts: | |
| - "*" | |
| gateways: | |
| - httpbin-gateway | |
| http: | |
| - match: | |
| - uri: | |
| prefix: /status | |
| - uri: | |
| prefix: /delay | |
| - uri: | |
| prefix: /headers | |
| route: | |
| - destination: | |
| port: | |
| number: 8000 | |
| host: httpbin # This is the httpbin service |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment