TechQA.

How to filter traffic by Client IP with istio on GKE

303 views Asked by At

I'm trying to make a traffic management in my k8s cluster with istio

My goal to achieve is looking like this:

I have 2 versions of my application running, V1 and V2. I want to make sure that all traffic that comes to the domain - istio-ingress LoadBalancer IP was going to V1 and the traffic that comes from the selected IP addresses (Whitelist) should be directed to V2 for testing purposes I Was trying to achieve it like this and in many other ways, but didn't succeed, hope for your help and directions where to look

I've tried EnvoyFilter with Gateway and VirtualService but it seems like LUA is incorrect and I can't figure it why. Also I can't seem to find anywhere if istio-ingress sees my REAL client ip or not. Expected it to add header based on my IP and with that header by matching rules redirect me to correct version of the service

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: filter-by-ip
  namespace: sn-backend
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
    - applyTo: HTTP_FILTER
      match:
        context: GATEWAY
        listener:
          filterChain:
            filter:
              name: "envoy.filters.network.http_connection_manager"
      patch:
        operation: INSERT_BEFORE
        value:
          name: envoy.lua
          typed_config:
            "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
            inlineCode: |
              function envoy_on_request(request_handle)
                print("Processing request")
                local client_ip = request_handle:headers():get("x-forwarded-for")
                request_handle:logInfo("Client IP: " .. client_ip)
                if client_ip == "<REDUCTED_IP>" then
                  request_handle:logInfo("Adding header for IP: " .. client_ip)
                  request_handle:headers():add("x-destination-version", "v2")
                end
              end

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: nginx-router
  namespace: sn-backend
spec:
  hosts:
    - "domain.example.com"
  gateways:
    - httpbin-gateway
  http:
    - match:
        - headers:
            x-destination-version:
              exact: "v2"
      route:
        - destination:
            host: httpbin1.sn-backend.svc.cluster.local
            port:
              number: 8000
    - route:
        - destination:
            host: httpbin.sn-backend.svc.cluster.local
            port:
              number: 8000

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: httpbin-gateway
  namespace: sn-backend
spec:
  selector:
    istio: ingressgateway
  servers:
    - port:
        number: 80
        name: http
        protocol: HTTP
      hosts:
        - "domain.example.com"
kubernetes google-kubernetes-engine istio traffic istio-gateway
Original Q&A
0

There are 0 answers

Related Questions in KUBERNETES

Related Questions in GOOGLE-KUBERNETES-ENGINE

Related Questions in ISTIO

Related Questions in TRAFFIC

Related Questions in ISTIO-GATEWAY

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions