search

envoyproxy / envoy

Cloud-native high-performance edge/middle/service proxy
https://www.envoyproxy.io
Apache License 2.0
24.67k stars 4.75k forks source link

Why doesn't updating RBAC with hot reload take effect on existing connection #34787

Closed YvesZHI closed 1 month ago

YvesZHI commented 2 months ago

I'm trying to use RBAC to build a IP whitelist for TCP. My envoy is configured with dynamic filesystem: https://www.envoyproxy.io/docs/envoy/latest/start/quick-start/configuration-dynamic-filesystem

lds.yaml file:

resources:
- "@type": type.googleapis.com/envoy.config.listener.v3.Listener
  name: listener_openfire_tcp
  address:
    socket_address: {protocol: TCP, address: 0.0.0.0, port_value: 21000}
  filter_chains:
  - filters:
    - name: envoy.filters.network.rbac
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC
        stat_prefix: ingress_tcp
        rules:
          action: ALLOW
          policies:
            "ip-whitelist":
              permissions:
              - any: true
              principals: [{direct_remote_ip: { address_prefix: 192.168.0.23, prefix_len: 32}}]  
    - name: envoy.filters.network.tcp
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
        stat_prefix: ingress_tcp
        cluster: cluster_tcp

cds.yaml file:

resources:
- "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster
  name: cluster_tcp
  type: STATIC
  connect_timeout: 2s
  load_assignment:
    cluster_name: cluster_tcp
    endpoints:
    - lb_endpoints:
      - endpoint:
          address:
            socket_address: {address: 192.168.0.181, port_value: 21000}

As you see, only 192.168.0.23 can get access to the tcp proxy. It works as expected. The client 192.168.0.23 can communicate with 192.168.0.181.

Then I create another lds.yaml, whose direct_remote_ip under RBAC config is 192.168.0.24 and I execute the command mv ./lds.yaml ~/enovy/lds.yaml to replace the current lds.yaml with the new one. Now the hot reload of envoy should be triggered.

However, I find that the connection, which existed before the hot reload of envoy, is still alive.

So why doesn't updating RBAC with hot reload take effect on existing connection?

tyxia commented 2 months ago

cced code owner @yangminzhu @yanavlasov

github-actions[bot] commented 1 month ago

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

github-actions[bot] commented 1 month ago

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions.