Create firewall on GCP through istio

0
votes

My configuration: GKE cluster v. 1.15.7-gke.23 istio: 1.4.3

Istio creatd istio-ingressgateway service as Loadbalacner with a default firewall rule:

  • Type: Ingress
  • Targets: VMs on the GKE cluster
  • Filters: 0.0.0.0/0
  • Protocols/ports: tcp:15020,tcp:80, tcp:443, tcp:15029,tcp:15030,tcp:15031,tcp:15032,tcp:15443

My goal is to update Filters on the rule, allow access to the endpoint only from allow list IP addresses.

Can it be realized through istio ?

1
kubernetesgoogle-cloud-platformgoogle-kubernetes-engineistio

1 Answers

1
votes

AFAIK it is not possible to affect the istio-ingressgateway Loadbalancer default rules on GCP firewall from istio configuration alone.

However,

This kind of filtering can be achieved with use of istio policies. So that the requests will reach the istio-ingressgateway but then will be denied by policies if IP address was not whitelisted.

According to istio documentation:

Istio supports whitelists and blacklists based on IP address. You can configure Istio to accept or reject requests from a specific IP address or a subnet.

  1. Verify you can access the Bookinfo productpage found at http://$GATEWAY_URL/productpage. You won’t be able to access it once you apply the rules below.

  2. Apply configuration for the list adapter that white-lists subnet "10.57.0.0\16" at the ingress gateway:

$ kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.4/samples/bookinfo/policy/mixer-rule-deny-ip.yaml)

Content of mixer-rule-deny-ip.yaml: 

apiVersion: config.istio.io/v1alpha2
kind: handler
metadata:
  name: whitelistip
spec:
  compiledAdapter: listchecker
  params:
    # providerUrl: ordinarily black and white lists are maintained
    # externally and fetched asynchronously using the providerUrl.
    overrides: ["10.57.0.0/16"]  # overrides provide a static list
    blacklist: false
    entryType: IP_ADDRESSES
---
apiVersion: config.istio.io/v1alpha2
kind: instance
metadata:
  name: sourceip
spec:
  compiledTemplate: listentry
  params:
    value: source.ip | ip("0.0.0.0")
---
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
  name: checkip
spec:
  match: source.labels["istio"] == "ingressgateway"
  actions:
  - handler: whitelistip
    instances: [ sourceip ]
---
  1. Try to access the Bookinfo productpage at http://$GATEWAY_URL/productpage and verify that you get an error similar to: PERMISSION_DENIED:staticversion.istio-system:<your mesh source ip> is not whitelisted

The example in documentation has Before you begin part so make sure to meet requirements for Enabling Policy Enforcement.

Edit:

To clarify,

Istio and the GCP firewall rules are working at different levels. Istio is only enabled within its mesh, that is, wherever you have the sidecars injected.

In order to make the istio-ingressgateway work, GCE provides a Network Load Balancer that has some preconfigured rules, completely independent from the Istio mesh.

So basically: The GCE firewall rules will only affect the Network Load Balancer attached to the cluster in order to allow traffic into the Istio mesh and the filtering rules in Istio will only work in all the pods/services/endpoints that are within the mesh.