英文:
IP Access restriction using Istio not working
问题
Istio 中实施基于 IP 的访问限制,希望仅允许特定 IP 地址的请求,但已经遇到了问题,尽管在 YAML 清单中添加了 IP 地址,但 Istio 仍然拦截请求。您怀疑 Istio 可能看到的 IP 与原始客户端 IP 不同,因为您的 Istio 前面有一些负载均衡器。
根据一些文档,X-Forwarded-For 是用于获取实际 IP 的标头,您在其他一些实现中已经使用过它,但不清楚如何让 Istio 选择实际的 X-Forwarded-For 主机。是否可以创建一些自定义标头,并让 Istio 从那里读取?请帮忙看一下以下代码:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: ingress-policy
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
action: ALLOW
rules:
- from:
- source:
remoteIpBlocks: ["98.XXX.XXX.66"]
您已经在 Envoy 中启用了调试日志,并且以下是记录的内容:
[2023-05-13T03:22:05.387Z] "GET /cluster/XXXX/XXXX/hari5 HTTP/1.1" 403 - rbac_access_denied_matched_policy[none] - "-" 0 19 0 - "98.XXX.XXX.66:52063,10.240.208.62" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "37ccfaa6-7deb-414f-9f5c-72926c997994" "XXX-XX-XXX.XXX.com" "-"
outbound|80||XXX.XXX-XXX.svc.cluster.local - 10.240.208.23:8080 10.240.208.62:40755 - -
请问有什么具体的问题需要帮助解决吗?
英文:
I am trying to implement IP-based access restriction using Istio where I would like Istio to block all requests apart from Certain IPs. I got to a point where It's blocking the requests but it's not allowing the IPs I add in the YAML Manifest. I suspect the IP that it is seeing is different that the original Client IP as I have a couple of Load Balancers in front of my Istio.
I read from some documents that X-Forwarder-For is what we should be using to get the actual IP and I have used this in some other implementations but unclear how to get Istio to pick the actual X-Forwarder-Host. Can we create some custom headers and make Istio read from there? Please help
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: ingress-policy
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
action: ALLOW
rules:
- from:
- source:
remoteIpBlocks: ["98.XXX.XXX.66"]
I enabled Debug Logs in my Envoy and below is what is getting recorded.
[2023-05-13T03:22:05.387Z] "GET /cluster/XXXX/XXXX/hari5 HTTP/1.1" 403 - rbac_access_denied_matched_policy[none] - "-" 0 19 0 - "98.XXX.XXX.66:52063,10.240.208.62" "Mozilla/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "37ccfaa6-7deb-414f-9f5c-72926c997994" "XXX-XX-XXX.XXX.com" "-"
outbound|80||XXX.XXX-XXX.svc.cluster.local - 10.240.208.23:8080 10.240.208.62:40755 - -
答案1
得分: 0
"I suspect the IP that it is seeing is different from the original Client IP as I have a couple of Load Balancers in front of my Istio.
Assuming you don't use externalTrafficPolicy: Local because, as described here, you have used remoteIpBlocks. So if you comply with that, the only issue I am seeing is the following.
The load balancer is the one component that sits between the client and Istio. Therefore, it should be the load balancer that reads the client's IP and adds this value to the header X-Forwarded-For. Then Istio would be able to understand and filter the request based on the Client's IP address.
英文:
> I suspect the IP that it is seeing is different that the original
> Client IP as I have a couple of Load Balancers in front of my Istio.
Assuming you don't use externalTrafficPolicy: Local because as described here you have used remoteIpBlocks. So if you comply with that the only issue I am seeing is the following.
The load balancer is the one component that sits between the client and Istio. Therefore it should be the load balancer that reads the client's IP and adds this value to the header X-Forwarded-For. Then Istio would be able to understand and filter the request based on the Client's Ip address.
答案2
得分: 0
以下是您要翻译的内容:
"这是我们必须用于限制基于IP的GET访问的应用程序之一。
x-forwarded-for头部只是一个逗号分隔的字符串,其中第一个条目是客户端IP地址,其余的IP地址来自网关、代理等。
- 匹配单个IP地址:例如“123.234.345.567,*”(请注意,当最后一个段落少于3个数字时,逗号之前的通配符字符很重要)
- 匹配最后一段中的所有地址:例如“123.234.345.*”
- 匹配最后两段中的所有地址:例如“123.234.*”
您还可以在“values”下添加多个IP模式。
希望这对您有所帮助。"
英文:
This is what we had to use for restricting GET-access based on IP for one of our apps.
The x-forwarded-for header is just a comma-delimited string where first entry is the client IP-address, the remaining IP-addresses are from gateway, proxy etc.
- For match with single IP-address: E.g. "123.234.345.567,*" (note the comma before the wild-card character is important when last segment is less than 3 digits)
- For match with all addresses in last segment: E.g. "123.234.345.*"
- For match with all addresses in 2 last segments: E.g. "123.234.*"
You may also add multiple IP-patterns under values.
I hope this will bring you further.
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: our-authorization-policy
namespace: our-namespace
spec:
selector:
matchLabels:
app: our-app-name
action: ALLOW
rules:
- to:
- operation:
methods: ["GET"]
when:
- key: request.headers[x-forwarded-for]
values:
- "xxx.xxx.xxx.xxx,*" # note the trailing '*'
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论