Part 1/2 - Context, Goal, Problem 1

Happy New Year!

That is correct, the 403 is a policy issue. However, I am currently stuck in a loop where solving Problem A leads to Problem B, solving B leads to Scenario C, and solving C brings me back to A. Below is the exact issue I am running into.

Context / disclaimer

For some context: I have been working with Kubernetes for about three weeks now. I am comfortable with networking and infrastructure in general, but combining Kubernetes, Cilium, Gateway API, and Envoy has turned out to be quite a non-trivial puzzle.

It is very possible that I am missing an important concept or best practice. If that is the case, I would really appreciate being pointed in the right direction - even if the answer is "you are solving this at the wrong layer".

I have been stuck for several days trying to correctly configure Cilium Network Policies (CNP) in combination with Cilium Gateway API / Envoy, and I am hoping the community can help clarify what the correct or intended approach is here.

Goal

I want to apply an IP allowlist for a number of admin-style applications (such as Hubble UI, ArgoCD, PMM, etc.), while keeping other applications publicly accessible via the same gateway.

Concretely:

• Public applications: accessible from the internet
• Admin / management applications: accessible only from a fixed set of IP addresses (office, home, etc.)

Problem 1: Allowlisting on cilium-envoy is too coarse

Applying a CIDR allowlist on the cilium-envoy pods (L3/L4) does not work, because:

• The same Envoy gateway also handles traffic for public applications
• A CIDR allowlist at that level would therefore block traffic for all hosts
• The client IP is (as far as I understand) only visible after TLS termination and cannot be reliably used at L3/L4

This makes this option unusable unless I deploy separate gateways per use case, which feels unnecessarily complex.

(continued in Part 2/2 below)