Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Gateway do not obey SecurityPolicy and authorization with clientCIDRS #4265

Open
zs-ko opened this issue Sep 17, 2024 · 3 comments
Open

Gateway do not obey SecurityPolicy and authorization with clientCIDRS #4265

zs-ko opened this issue Sep 17, 2024 · 3 comments
Labels
triage

Comments

@zs-ko
Copy link

zs-ko commented Sep 17, 2024

Description:

What issue is being seen? Describe what should be happening instead of

when applying a security policy against a gateway with authorization and a rule with principal clientCIDRS the gateway still accepts connections that is not permitted.

Expected rule to apply to gateway and block traffic as defaultAction is Deny. Status of the security policy is accepted but the config is not changed to reflect this.

Repro steps:

Include sample requests, environment, etc. All data and inputs

create gateway
apply security policy
try to open a tls connection against gateway

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: gwtest
spec:
  gatewayClassName: eg
  listeners:
  - name: tls
    protocol: TLS
    port: 443
    hostname: somehost.domain.com
    allowedRoutes:
      namespaces:
        from: All
    tls:
      mode: Terminate
      certificateRefs:
      - kind: Secret
        group: ''
        name: tls-cert
---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: authorization-test
spec:
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: gwtest
  authorization:
    defaultAction: Deny
    rules:
    - action: Allow
      principal:
        clientCIDRs:
        - 8.8.8.8/32

Note: If there are privacy concerns, sanitize the data prior to
sharing.

After lookin at the code is seems for me that only httproute is supported for authorization and clientcidrs

Environment:

Include the environment like gateway version, envoy version and so on.

using envoyproxy/gateway:v1.1.1 and envoyproxy/envoy:distroless-v1.31.0

Logs:

Include the access logs and the Envoy logs.

2024-09-17T09:20:35.025Z	INFO	provider	kubernetes/status_updater.go:140	received a status update	{"runner": "provider", "namespace": "test", "name": "authorization-test"}
2024-09-17T09:20:35.040Z	INFO	provider	kubernetes/status_updater.go:140	received a status update	{"runner": "provider", "namespace": "test", "name": "testgateway"}
2024-09-17T09:20:35.041Z	INFO	provider.testgateway.test	kubernetes/status_updater.go:104	status unchanged, bypassing update	{"runner": "provider"}
@zs-ko zs-ko added the triage label Sep 17, 2024
@arkodg
Copy link
Contributor

arkodg commented Sep 17, 2024
edited
Loading

ah thanks for also debugging this one @zs-ko . This feature is based on the data from the X-Forwarded-For header which is not available for TLSRoute. This is not an error but can be highlighted in status similar to the Overwritten reason

@arkodg arkodg added help wanted Extra attention is needed and removed triage labels Sep 17, 2024
@arkodg arkodg added this to the v1.2.0-rc1 milestone Sep 17, 2024
@arkodg arkodg added triage and removed help wanted Extra attention is needed labels Sep 17, 2024
@arkodg arkodg removed this from the v1.2.0-rc1 milestone Sep 17, 2024
@zs-ko
Copy link
Author

zs-ko commented Sep 18, 2024

@arkodg ah ok. are there any plans to support cidr filtering on routes or gateways for tcp/tls streams?

@arkodg
Copy link
Contributor

arkodg commented Sep 19, 2024

@zs-ko can you create a separate GH issue for the feature ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@arkodg @zs-ko