envoyproxy/gateway

Security Policies for TLS Gateways

Open

#6704 aperta il 5 ago 2025

Vedi su GitHub
 (4 commenti) (2 reazioni) (1 assegnatario)Go (802 fork)auto 404
area/policyhelp wanted

Metriche repository

Star
 (2871 star)
Metriche merge PR
 (Metriche PR in attesa)

Descrizione

Description:

SecurityPolicies don't currently support TLSRoute's. I'd like to propose allowing SecurityPolicies for TLSRoutes. Specifically client IP based auth from Security Policies.

Related:

Example Policy:

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: restrict-client-ips-tlsroute-example
  namespace: envoy-gateway-system
spec:
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: TLSRoute
      name: tlsroute-example
  authorization:
    defaultAction: Deny
    rules:
    - action: Allow
      principal:
        clientCIDRs:
        - <public_address>

Known Issues:

A known bug with the RBAC network filter https://github.com/envoyproxy/envoy/issues/9023 allows connections to the upstream to be initiated even if the rbac policy evaluates to DENY. This can be mitigated by instead using filter_chain_match with the source_prefix_range filter. However, doing that I believe might not allow the user to have a SecurityPolicy defaultAction other than Deny.

Workarounds:

I can and have tested this with EnvoyPatchPolicy, however, I would love official support in SecurityPolicy or another similar CR if possible.

I am willing to work on adding this if the team is interested in this.

Guida contributor