search

envoyproxy / gateway

Manages Envoy Proxy as a Standalone or Kubernetes-based Application Gateway
https://gateway.envoyproxy.io
Apache License 2.0
1.57k stars 341 forks source link

GeoIP support for envoy gateway #4412

Open zetaab opened 1 week ago

zetaab commented 1 week ago

Description: we would like to use GeoIP support with envoy gateway. It seems that envoyproxy itself supports that already https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/geoip_filter

What could be the correct place for this configuration? I am thinking could it fit under securitypolicy? basically this is similar stuff that "authorization" has, but no idea should it be under authorization or just under securitypolicy spec

arkodg commented 1 week ago

cc @nezdolik

zetaab commented 1 week ago

geoip databases are pretty large, so I think the envoy gateway should download the database from normal http url and then somehow upload that to envoyproxy? Wasm uses http, but envoyproxy handles the download https://github.com/envoyproxy/gateway/blob/main/api/v1alpha1/wasm_types.go#L74

perhaps that geoip plugin in envoyproxy could handle the download from http_uri, but it needs envoyproxy changes.

nezdolik commented 1 week ago

Currently Envoyproxy expects the databases to be present at configured location on startup, so Envoy Gateway (infra module?) could download the databases prior to spinning up Envoyproxies.

What could be the correct place for this configuration? I am thinking could it fit under securitypolicy?

Logically it does not belong to SecurityPolicy (API allowing system administrators to configure authentication and authorization policies to the traffic entering the gateway).

@zetaab feel free to raise feature request to envoyproxy repo.

zetaab commented 1 week ago

imo, it does belong to securitypolicy api. If we have like 2 apis: https://foobar.com and https://huuh.com. We want that https://huh.com allows all traffic from everywhere and we want limit https://foobar.com only for instance to allow Sweden. What could be the better place for that? In securitypolicy api we can already configure do we allow or deny ip addresses, this is kind of similar stuff but with countries in it?

nezdolik commented 1 week ago

@zetaab from that perspective yes, if you bundle geolocation feature with rbac. But geolocation filter on its own just appends geolocation information to the request.

zetaab commented 1 week ago

@nezdolik right. So basically geoip filter should be before rbac (securitypolicy authorization) and then in authorization we should have possibility deny/allow by header for instance. If authorization is not used, then geoip headers are just applied to the request and forwarded.