Closed conqerAtapple closed 2 years ago
@conqerAtapple can you describe a bit more what type of RBAC rules you are after? This has come up several times and I would like to make sure we are collecting all similar use cases.
@conqerAtapple can you describe a bit more what type of RBAC rules you are after? This has come up several times and I would like to make sure we are collecting all similar use cases.
The general use case here is to :
Not sure if the above covers everything but I think i got the general idea captured.
thanks @mattklein123
Couldn't pretty much all of the above be done today using existing filters like RBAC, IP tagging, etc.?
The only part I'm unclear about is DNS restrictions. Do you mean you actually want to put restrictions on the returned resolutions from the DNS resolver?
Couldn't pretty much all of the above be done today using existing filters like RBAC, IP tagging, etc.? I thought RBAC filter is designed for ingress. Are there examples for RBAC filter being used for egress? Does IP tagging work for TCP proxying?
The only part I'm unclear about is DNS restrictions. Do you mean you actually want to put restrictions on the returned resolutions from the DNS resolver? Oh i meant wildcard matching for egress. There might be a way to express "I only want to allow connections to upstream hosts that matches name good" but couldnt find an example.
Adding an example configuration I tried:
virtual_hosts:
- name: local_service
domains: ["*cnn.*"]
routes:
- match:
prefix: "/"
route:
cluster: dynamic_forward_proxy_cluster
typed_per_filter_config:
envoy.filters.http.rbac:
"@type": type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute
rbac:
rules:
action: ALLOW
policies:
"per-route-rule":
permissions:
- any: true
principals:
- any: true
- name: local_service2
domains: ["www.google.com"]
routes:
- match:
prefix: "/"
route:
cluster: dynamic_forward_proxy_cluster2
typed_per_filter_config:
envoy.filters.http.rbac:
"@type": type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute
rbac:
rules:
action: DENY
policies:
"per-route-rule":
permissions:
- any: true
principals:
- any: true
Expected results: request for www.google.com
should have been denied access.
Observed result: Envoy successfully proxies requests for www.google.com
.
Is this because i am misconfiguring ? Or is it because of the design of rbac filter which is intended for ingress?
@mattklein123
update:
I was able to enforce the test policy by adding rbac http filter as:
- name: envoy.filters.http.rbac
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC
rules:
action: DENY
policies:
"per-route-rule":
permissions:
- any: true
principals:
- any: true
Conclusion: Configuration for route specific rbac policy needs a http filter also to drive the policy.
Keeping this issue open to collect any related requirements @mattklein123
In general "egress" vs. "ingress" is an abstract concept that Envoy doesn't really care about (this is not entirely true as it leaks into a few places in the API, but not many). For all of this type of config it doesn't really matter if Envoy is being used as a forward proxy or a reverse proxy.
Can you clarify what other features you need now that you have this part sorted out?
In general "egress" vs. "ingress" is an abstract concept that Envoy doesn't really care about (this is not entirely true as it leaks into a few places in the API, but not many). For all of this type of config it doesn't really matter if Envoy is being used as a forward proxy or a reverse proxy.
I was a bit confused. Thanks a lot for the clarification.
Can you clarify what other features you need now that you have this part sorted out?
We are still collecting all the asks. Will update or close this issue based on that.
Appreciate your help @mattklein123 .
An interesting use case which does not seem to work for us is - rbac on destination IP addresses where IP was resolved by DNS.
For example:
For CONNECT request curl -v -x 192.168.192.3:80 www.example.com
, if we had rbac policy DENY for ip CIDR that matches www.example.com, the policy would not be enforced. This issue might not be just applicable to connect case, but any case where destination ip address is not known at rbac filter processing time.
Edit:
Maybe a way to achieve this is for invoking rbac when a connect event or DNS resolve event is completed.
Looking at the code, the rbac filter does not seem to know the upstream host information when executing policies. Would it make sense to pass cluster information to the policy engine?
@mattklein123
Proposal:
StreamInfo
to add/update the resolved upstream host addressesdynamic_forward_proxy/proxy_filter.cc
) use the above API to update the resolved addresses.upstream
which could consist of :
Please let me know.
ping @mattklein123
Yes I think this makes sense to me at a high level. cc @yangminzhu
Question: For the generic case (not dynamic proxy) where the DNS is resolved by the cluster, how do I get the ClusterManager
for a request in StreamInfo? This is so that we can filter the resolved IP addresses for a cluster for RBAC.
@mattklein123 @yangminzhu
So I could imagine doing this by having an RBAC filter after the DFP filter - right now DFP waits on DNS resolution before proceeding. That said I think we were planning on rewiring that, and even if we didn't it's not going to play with happy eyeballs support. cc @RyanTheOptimist to join the discussion.
@conqerAtapple can you talk a bit more about the use case blocking specific destination endpoints by IP rather than hostname?
Yeah I agree with @alyssawilk that I had assumed that RBAC would run after DFP, and could grab info from stream info on the upstream host target that has been selected.
For DFP based route, the above proposal which includes using the resoled logical DNS address for RBAC policy makes sense I think. For the generic case, where the DNS is resolved asynchronously, we might have to use upstream filters as you suggested.
The use case we are trying to solve is where the client(s) are connecting to upstreams which need to be filtered by some CIDR policy. An example is where clients could be connecting to a set of unknown / dynamic services on the internet . We might want to apply policies on these dynamic connection requests.
@alyssawilk
If I'm understanding correctly, it sounds like we would like to be able to block access to to upstream hosts which resolve to a particular ip or set of IP. What should happen if a host resolved to two IPs, one which is forbidden and one which is not? Is the idea that the request should use the non-blocked IP and succeed? Fail because of the blocked IP? Something else?
Good question. Maybe we should be able to specify policy where we can pick between all-ips(AND) vs one-of-ips (OR) which satisfy the condition ?
So I think this is not about the Egress proxy RBAC but instead to support the dynamically resolved upstream IP in the RBAC API.
One thing is you need to be careful when using the resolved upstream IP because they could change anytime and make your RBAC policy not working as expected, i.e. unexpected reject or policy bypass (security issue). I'm still not sure why won't you use the host name in the RBAC policy? the host seems a better alternative than the resolved IP addresses.
Good question. Maybe we should be able to specify policy where we can pick between all-ips(AND) vs one-of-ips (OR) which satisfy the condition ?
I think the problem is the load balancing does not have the information in the RBAC policy and could pick one of the IPs that will always be rejected by the RBAC filter.
So I think this is not about the Egress proxy RBAC but instead to support the dynamically resolved upstream IP in the RBAC API.
I guess thats is right. Although the problem manifests especially for egress case since we currently dont have a way to express upstream information in the policy.
One thing is you need to be careful when using the resolved upstream IP because they could change anytime and make your RBAC policy not working as expected, i.e. unexpected reject or policy bypass (security issue). I'm still not sure why won't you use the host name in the RBAC policy? the host seems a better alternative than the resolved IP addresses.
One reason being that we would like to be closer to the ground truth and not have a dependency on the DNS server.
Good question. Maybe we should be able to specify policy where we can pick between all-ips(AND) vs one-of-ips (OR) which satisfy the condition ?
I think the problem is the load balancing does not have the information in the RBAC policy and could pick one of the IPs that will always be rejected by the RBAC filter.
That is correct. In its current state, RBAC filter does not have any information on upstream hosts. Maybe this could be changed via referencing the LB priority set from RBAC filter? Or have RBAC filter observe DNS resolution ?
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.
not stale. Working on implementation of a matcher extension https://github.com/envoyproxy/envoy/pull/17645
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.
This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions.
Title: Add support for egress proxy RBAC
Description: If envoy is used as egress proxy, it looks like currently there is not much support for RBAC. From https://github.com/envoyproxy/envoy/issues/10336, the only way to do this might be to use a config server or DNS records. If we need add further rich semantics (RBAC), the recommendation is to write a upstream connection filter or something along those lines. One way to achieve this might be to add a filter extension which extends from ListenerFilter and add RBAC like configuration for it. If so, are there any existing examples of this?
The deployment architecture could be stand alone envoy (not side car). So this might mean a tproxy like setup .
I am happy to add this feature but wanted to clarify the approach and high level design.
https://github.com/envoyproxy/envoy/issues/10336
@alyssawilk