Metriche repository
- Star
- (2871 star)
- Metriche merge PR
- (Metriche PR in attesa)
Descrizione
Description:
SecurityPolicies don't currently support TLSRoute's. I'd like to propose allowing SecurityPolicies for TLSRoutes. Specifically client IP based auth from Security Policies.
Related:
Example Policy:
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
name: restrict-client-ips-tlsroute-example
namespace: envoy-gateway-system
spec:
targetRefs:
- group: gateway.networking.k8s.io
kind: TLSRoute
name: tlsroute-example
authorization:
defaultAction: Deny
rules:
- action: Allow
principal:
clientCIDRs:
- <public_address>
Known Issues:
A known bug with the RBAC network filter https://github.com/envoyproxy/envoy/issues/9023 allows connections to the upstream to be initiated even if the rbac policy evaluates to DENY. This can be mitigated by instead using filter_chain_match with the source_prefix_range filter. However, doing that I believe might not allow the user to have a SecurityPolicy defaultAction other than Deny.
Workarounds:
I can and have tested this with EnvoyPatchPolicy, however, I would love official support in SecurityPolicy or another similar CR if possible.
I am willing to work on adding this if the team is interested in this.