envoyproxy / gateway

Manages Envoy Proxy as a Standalone or Kubernetes-based Application Gateway
https://gateway.envoyproxy.io
Apache License 2.0
1.64k stars 358 forks source link

Gateway do not obey SecurityPolicy and authorization with clientCIDRS #4265

Closed zs-ko closed 1 month ago

zs-ko commented 2 months ago

Description:

What issue is being seen? Describe what should be happening instead of

when applying a security policy against a gateway with authorization and a rule with principal clientCIDRS the gateway still accepts connections that is not permitted.

Expected rule to apply to gateway and block traffic as defaultAction is Deny. Status of the security policy is accepted but the config is not changed to reflect this.

Repro steps:

Include sample requests, environment, etc. All data and inputs

create gateway apply security policy try to open a tls connection against gateway

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: gwtest
spec:
  gatewayClassName: eg
  listeners:
  - name: tls
    protocol: TLS
    port: 443
    hostname: somehost.domain.com
    allowedRoutes:
      namespaces:
        from: All
    tls:
      mode: Terminate
      certificateRefs:
      - kind: Secret
        group: ''
        name: tls-cert
---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: authorization-test
spec:
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: gwtest
  authorization:
    defaultAction: Deny
    rules:
    - action: Allow
      principal:
        clientCIDRs:
        - 8.8.8.8/32

Note: If there are privacy concerns, sanitize the data prior to sharing.

After lookin at the code is seems for me that only httproute is supported for authorization and clientcidrs

Environment:

Include the environment like gateway version, envoy version and so on.

using envoyproxy/gateway:v1.1.1 and envoyproxy/envoy:distroless-v1.31.0

Logs:

Include the access logs and the Envoy logs.

2024-09-17T09:20:35.025Z    INFO    provider    kubernetes/status_updater.go:140    received a status update    {"runner": "provider", "namespace": "test", "name": "authorization-test"}
2024-09-17T09:20:35.040Z    INFO    provider    kubernetes/status_updater.go:140    received a status update    {"runner": "provider", "namespace": "test", "name": "testgateway"}
2024-09-17T09:20:35.041Z    INFO    provider.testgateway.test   kubernetes/status_updater.go:104    status unchanged, bypassing update  {"runner": "provider"}
arkodg commented 2 months ago

ah thanks for also debugging this one @zs-ko . This feature is based on the data from the X-Forwarded-For header which is not available for TLSRoute. This is not an error but can be highlighted in status similar to the Overwritten reason

zs-ko commented 2 months ago

@arkodg ah ok. are there any plans to support cidr filtering on routes or gateways for tcp/tls streams?

arkodg commented 2 months ago

@zs-ko can you create a separate GH issue for the feature ?

github-actions[bot] commented 1 month ago

This issue has been automatically marked as stale because it has not had activity in the last 30 days.