Open surki opened 2 years ago
@yangminzhu @yanavlasov
I agree that (1) is the right approach, with sharing as much code as possible. It would be great to see this happen!
FYI I just started looking into this, I will send a draft version for feedback soon
We would love to see this feature so that we can limit the damage that a semi-trusted client/server can do via a dynamic forward proxy.
It looks like the PR that @surki raised was closed while waiting for changes around upstream filters to stabilise. Has this stabilised now @alyssawilk?
HTTP upstream filters have stabilized but not sure how much that relates to network filters or what you need beyond https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/upstream_filters
Thanks. I got the impression from the thread in https://github.com/envoyproxy/envoy/pull/21985 that progress on that stopped to let the http upstream filters stabilise, but perhaps not.
Thanks for the link. Is support for upstream filters out of the box something we are likely to see soon?
As always with Envoy support is going to be determined by who needs what. Upstream filters largely work, and further functionality will be added as needed. Individual network and HTTP downstream filters will be ported to be upstream filters as needed by the community. There's no roadmap or timeline for this sorry.
Title: We have a need for upstream RBAC or ext-authz filters
Description: We are using Envoy as forward proxy (i.e., "dynamic forward proxy"). We would like to apply some network policy, specifically on the IPs it is connecting to. So we would need support for that in the upstream context.
There was some discussion here, so I went ahead and made the changes to see if existing network RBAC filter would work in the context of upstream. The changes are here and it seems to work.
Few quick observations: