ingressgateway访问授权

当 externalTrafficPolicy 设置为 Local 时，Istio 会保留外部客户端的原始源 IP 地址,在 Ingress Gateway 层面进行 IP 访问控制时，你可以基于客户端的源 IP 地址来定义访问规则。

kubectl patch svc istio-ingressgateway -n istio-system -p '{"spec":{"externalTrafficPolicy":"Local"}}'

允许ipBlocks指定的IP地访段访问ingress网关，不在列表则被拒绝

kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: ingress-policy
  namespace: istio-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
  action: ALLOW
  rules:
  - from:  
    - source:
        ipBlocks: ['1.1.1.1',"2.2.2.0/24"]  
    to:
    - operation:
        hosts: ['www.yht.com']  
EOF

配置指定的IP地址访问ingress网关

kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: ingress-policy
  namespace: istio-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
  action: DENY
  rules:
  - from:
    - source:
        ipBlocks: ['3.3.3.3"]  
    to:
    - operation:
        hosts: ['www.yht.com']    
EOF