gateway icon indicating copy to clipboard operation
gateway copied to clipboard
verified publisher icon envoyproxy

Gateway do not obey SecurityPolicy and authorization with clientCIDRS

Open zs-ko opened this issue 1 year ago • 4 comments

Description:

What issue is being seen? Describe what should be happening instead of

when applying a security policy against a gateway with authorization and a rule with principal clientCIDRS the gateway still accepts connections that is not permitted.

Expected rule to apply to gateway and block traffic as defaultAction is Deny. Status of the security policy is accepted but the config is not changed to reflect this.

Repro steps:

Include sample requests, environment, etc. All data and inputs

create gateway apply security policy try to open a tls connection against gateway

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: gwtest
spec:
  gatewayClassName: eg
  listeners:
  - name: tls
    protocol: TLS
    port: 443
    hostname: somehost.domain.com
    allowedRoutes:
      namespaces:
        from: All
    tls:
      mode: Terminate
      certificateRefs:
      - kind: Secret
        group: ''
        name: tls-cert
---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: authorization-test
spec:
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: gwtest
  authorization:
    defaultAction: Deny
    rules:
    - action: Allow
      principal:
        clientCIDRs:
        - 8.8.8.8/32

Note: If there are privacy concerns, sanitize the data prior to sharing.

After lookin at the code is seems for me that only httproute is supported for authorization and clientcidrs

Environment:

Include the environment like gateway version, envoy version and so on.

using envoyproxy/gateway:v1.1.1 and envoyproxy/envoy:distroless-v1.31.0

Logs:

Include the access logs and the Envoy logs.

2024-09-17T09:20:35.025Z	INFO	provider	kubernetes/status_updater.go:140	received a status update	{"runner": "provider", "namespace": "test", "name": "authorization-test"}
2024-09-17T09:20:35.040Z	INFO	provider	kubernetes/status_updater.go:140	received a status update	{"runner": "provider", "namespace": "test", "name": "testgateway"}
2024-09-17T09:20:35.041Z	INFO	provider.testgateway.test	kubernetes/status_updater.go:104	status unchanged, bypassing update	{"runner": "provider"}

zs-ko avatar Sep 17 '24 09:09 zs-ko

ah thanks for also debugging this one @zs-ko . This feature is based on the data from the X-Forwarded-For header which is not available for TLSRoute. This is not an error but can be highlighted in status similar to the Overwritten reason

arkodg avatar Sep 17 '24 19:09 arkodg

@arkodg ah ok. are there any plans to support cidr filtering on routes or gateways for tcp/tls streams?

zs-ko avatar Sep 18 '24 08:09 zs-ko

@zs-ko can you create a separate GH issue for the feature ?

arkodg avatar Sep 19 '24 05:09 arkodg

This issue has been automatically marked as stale because it has not had activity in the last 30 days.

github-actions[bot] avatar Oct 19 '24 08:10 github-actions[bot]