k8s本身获取用户真实IP就有写问题，可以参考这个
https://kubernetes.io/docs/tutorials/services/source-ip/
另一种办法：
在istio-gateway-ingress前面代理用上traefik-ingrss，traefik需要hostPort的方式启动，具体部署方式可以参照https://www.jianshu.com/p/2b50f150ecde

Gateway 参照：

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: lps-web
  namespace: th #这个是应用所在的namespace
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - lps-web.th.xxx.cn
    port:
      name: http
      number: 80
      protocol: HTTP

ingress参照：

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
    ingress.kubernetes.io/custom-request-headers: 'Host: lps-web.th.xxx.cn' #配置成istiogateway 上面配置的hosts
  name: lps-web.th.xxx.cn
  namespace: istio-system #需要在istio-system 空间才能访问到istiogateway  services
spec:
  rules:
  - host: lps-web.th.xxx.cn #配置成istiogateway 上面配置的hosts
    http:
      paths:
      - backend:
          serviceName: istio-ingressgateway 这里是istio 的gateway services，
          servicePort: 80
        path: /

注意： 几个Host的一定要和istio geteway-ingess上面的一致

创建EnvoyFilter

---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: ingressgateway-user-ip
  namespace: istio-system
spec:
  workloadLabels:
    app: istio-ingressgateway
  filters:
    - listenerMatch:
        portNumber: 80
        listenerType: ANY
      filterName: envoy.lua
      filterType: HTTP
      filterConfig:
        inlineCode: |
          function envoy_on_request(request_handle)
            local xff_header = request_handle:headers():get("X-Forwarded-For");
            local client_ip
            for ip in  string.gmatch (xff_header, "(%d+.%d+.%d+.%d+)") do
                client_ip = ip
                break #这里只获取第一个IP
            end
            request_handle:headers():add("x-real-ip", client_ip);
          end