Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security policies for tcp gateways not working #4908

Open
davem-git opened this issue Dec 12, 2024 · 1 comment
Open

security policies for tcp gateways not working #4908

davem-git opened this issue Dec 12, 2024 · 1 comment
Labels
kind/design

Comments

@davem-git
Copy link

Description:
Security Policies can be applied on gateways, but they don't work on gateways with TCP listeners

[optional Relevant Links:]
gh discussion on it from this discussion

Internally a HTTP RBAC Filter is used, to enable this we'll need to use https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/network_filters/rbac_filter# when the listener is a TCP listener (tcp_proxy)

example log from from TCP gateway, you can see the source IP listed as downstream_remote_address":"<redacted_public_address:51822"

{"start_time":"2024-12-11T23:59:57.831Z","method":"-","x-envoy-origin-path":"-","protocol":"-","response_code":"0","response_flags":"-","response_code_details":"-","connection_termination_details":"-","upstream_transport_failure_reason":"-","bytes_received":"781","bytes_sent":"2235","duration":"353","x-envoy-upstream-service-time":"-","x-forwarded-for":"-","user-agent":"-","x-request-id":"-",":authority":"-","upstream_host":"10.101.67.104:5432","upstream_cluster":"tcproute/default/pgo-tools-dre/rule/-1","upstream_local_address":"10.101.68.80:36306","downstream_local_address":"10.101.68.80:32000","downstream_remote_address":"<redacted_public_address:51822","requested_server_name":"-","route_name":"-"}

example of the security policy

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: pgo-authorization-client-ip
  namespace: envoy-gateway-system
spec:
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: pgo-gateway-2
  authorization:
    defaultAction: Deny
    rules:
    - action: Allow
      principal:
        clientCIDRs:
        - <public_address>
     ```
currently using v1.2.3
@zhaohuabing
Copy link
Member

zhaohuabing commented Dec 18, 2024
edited
Loading

@davem-git Currently the SecurityPolicy only applies to HTTPRoute/GRPCRoute as all the other Security features except client IP based authz make no sense to TCPRoute.

As a workaround, you should be able to add a RBAC filter to the filter chain through EnvoyPatchPolicy.

Do we want to extend the SecurityPolicy to TCPRoute? @envoyproxy/gateway-maintainers ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/design
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zhaohuabing @davem-git