security policies for tcp gateways not working

[davem-git]

Description:
Security Policies can be applied on gateways, but they don't work on gateways with TCP listeners

[optional Relevant Links:]
gh discussion on it from this discussion

Internally a HTTP RBAC Filter is used, to enable this we'll need to use https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/network_filters/rbac_filter# when the listener is a TCP listener (tcp_proxy)

example log from from TCP gateway, you can see the source IP listed as downstream_remote_address":"<redacted_public_address:51822"

{"start_time":"2024-12-11T23:59:57.831Z","method":"-","x-envoy-origin-path":"-","protocol":"-","response_code":"0","response_flags":"-","response_code_details":"-","connection_termination_details":"-","upstream_transport_failure_reason":"-","bytes_received":"781","bytes_sent":"2235","duration":"353","x-envoy-upstream-service-time":"-","x-forwarded-for":"-","user-agent":"-","x-request-id":"-",":authority":"-","upstream_host":"10.101.67.104:5432","upstream_cluster":"tcproute/default/pgo-tools-dre/rule/-1","upstream_local_address":"10.101.68.80:36306","downstream_local_address":"10.101.68.80:32000","downstream_remote_address":"<redacted_public_address:51822","requested_server_name":"-","route_name":"-"}

example of the security policy

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: pgo-authorization-client-ip
  namespace: envoy-gateway-system
spec:
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: pgo-gateway-2
  authorization:
    defaultAction: Deny
    rules:
    - action: Allow
      principal:
        clientCIDRs:
        - <public_address>
     ```
currently using v1.2.3

[zhaohuabing]

@davem-git Currently the SecurityPolicy only applies to HTTPRoute/GRPCRoute as all the other Security features except client IP based authz make no sense to TCPRoute.

As a workaround, you should be able to add a RBAC filter to the filter chain through EnvoyPatchPolicy.

Do we want to extend the SecurityPolicy to TCPRoute? @envoyproxy/gateway-maintainers ?

[davem-git]

I'll look into that, any documentation to help with his use case? I've looked in to the patch policy before, but I think my inexperience with envoys outside of the gateway has made it difficult. I've tried to patch other things without much luck. Here's the filter your referring to right? https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/rbac_filter

[arkodg]

all the fields today in SecurityPolicy are HTTP specific, and do not directly apply to TCPRoute today.
For IP Based Allow/Deny for TCP, we'd need to use a different implementation under hood https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/network_filters/rbac_filter#
the decision here, is do we

1. reuse the same API for TCPRoute but implement it differently
   or
2. add another field in SP or CTP for this use case.

I'm more inclined to 1. atm

[davem-git]

From this, I can't do as suggested and shoehorn this with a patch policy. I'd rather see it supported as it is a common use case. Companies like to say the endpoint is supported with an IP filter.

[davem-git]

The changes would need to be in the envoy proxy itself, then in the envoy gateway. Is that where I would look if I am interested in helping address this problem?

using decision 1?

[zhaohuabing]

1. reuse the same API for TCPRoute but implement it differently

+1 on reusing the sam API, but only support client IP based auth for TCP.

[arkodg]

@davem-git all the changes needed are in Envoy Gateway itself