search

envoyproxy / envoy

Cloud-native high-performance edge/middle/service proxy
https://www.envoyproxy.io
Apache License 2.0
24.11k stars 4.65k forks source link

Didn't find a registered implementation for 'ip-matcher' with type URL: 'xds.type.matcher.v3.IPMatcher' #34210

Open zhaohuabing opened 2 weeks ago

zhaohuabing commented 2 weeks ago

I tried to use an IPMatche cutomMatch within the RBAC filter for the IP allow/deny list, but got the following warning:

Didn't find a registered implementation for 'ip-matcher' with type URL: 'xds.type.matcher.v3.IPMatcher'
[2024-05-16 16:53:17.258][1][warning][config] [source/extensions/config_subscription/grpc/grpc_subscription_impl.cc:138] gRPC config for type.googleapis.com/envoy.config.route.v3.RouteConfiguration rejected: Didn't find a registered implementation for 'ip-matcher' with type URL: 'xds.type.matcher.v3.IPMatcher'

The RouteConfiguration used:

  virtualHosts:
  - domains:
    - www.example.com
    name: envoy-gateway/gateway-1/http/www_example_com
    routes:
    - match:
        pathSeparatedPrefix: /bar
      name: httproute/default/httproute-2/rule/0/match/0/www_example_com
      route:
        cluster: httproute/default/httproute-2/rule/0
        upgradeConfigs:
        - upgradeType: websocket
      typedPerFilterConfig:
        envoy.filters.http.rbac:
          '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute
          rbac:
            matcher:
              matcherList:
                matchers:
                - onMatch:
                    action:
                      name: action
                      typedConfig:
                        '@type': type.googleapis.com/envoy.config.rbac.v3.Action
                        name: ALLOW
                  predicate:
                    singlePredicate:
                      customMatch:
                        name: ip-matcher
                        typedConfig:
                          '@type': type.googleapis.com/xds.type.matcher.v3.IPMatcher
                          rangeMatchers:
                          - onMatch:
                              action:
                                name: allow
                                typedConfig:
                                  '@type': type.googleapis.com/envoy.config.rbac.v3.Action
                                  name: ALLOW
                            ranges:
                            - addressPrefix: 10.0.1.0/24
                              prefixLen: 24
                            - addressPrefix: 10.0.2.0/24
                              prefixLen: 24
                      input:
                        name: source-ip
                        typedConfig:
                          '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.SourceIPInput
              onNoMatch:
                action:
                  name: default
                  typedConfig:
                    '@type': type.googleapis.com/envoy.config.rbac.v3.Action
                    action: DENY
                    name: DENY

Do I need to turn on some options to enable the 'xds.type.matcher.v3.IPMatcher' ?

Thanks.

zhaohuabing commented 2 weeks ago

I figured out: IPMatcher can only be used within a matcherTree. Is there any way I can match an IP range within a matcherList?

ravenblackx commented 2 weeks ago

Maybe extensions.matching.input_matchers.ip.v3.Ip would be usable here?

@aguinet ? (Also question about whether we should be consolidating IPMatchers into a common proto.)

aguinet commented 1 week ago

I've just seen this now. I see this ticket has been closed: what's the conclusion?

ravenblackx commented 1 week ago

I guess the closing was because extensions.matching.input_matchers.ip.v3.Ip solved for the original problem.

My bonus question about whether xds IPMatcher and envoy matchers.ip.v3.Ip should be consolidated remains open but isn't bothering anyone right now.

zhaohuabing commented 1 week ago

@ravenblackx reopened this one to track it.