Add ip filter design doc #4990
Add ip filter design doc #4990
Conversation
ecordell
requested review from
stevesloka and
skriss
and removed request for
a team
|
Hi @ecordell! Welcome to our community and thank you for opening your first Pull Request. Someone will review it soon. Thank you for committing to making Contour better. You can also join us on our mailing list and in our channel in the Kubernetes Slack Workspace |
ecordell
force-pushed
the
ipfilterdesign
branch
from
beb0c4e to
5678b08
Compare
skriss
added
kind/design
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #4990 +/- ##
=======================================
Coverage 77.94% 77.94%
=======================================
Files 138 138
Lines 17731 17731
=======================================
Hits 13820 13820
Misses 3646 3646
Partials 265 265 |
There was a problem hiding this comment.
it would be great to add some more implementation notes about how the Envoy filters might work, once we agree on a general shape of the API, you've got a nice example in there but as we go we may want to add some more the that section
i.e. mention the RBAC filter: https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/rbac_filter and how configuring Prinicipals might work: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/rbac/v3/rbac.proto#envoy-v3-api-msg-config-rbac-v3-principal maybe add some links to the API reference in case readers want to take a look
some examples of configuration and requests (including source ip and/or x-forwarded-for header) that would be allowed/denied would be great to add
the Envoy filter allows full per-route configuration so the per-route configuration makes a lot of sense to me
design/ip-filtering-design.md
Outdated
| - Support filtering on request IP or on forwarded IP (i.e. via `X-Forwarded-For`) | ||
|
|
||
| ## Non Goals | ||
| - Define Gateway API support for ip filtering. This is an obvious next step, but requires broader agreement. |
There was a problem hiding this comment.
we'll likely need to write up a design for a CR to be used as an extension Filter or Policy for Gateway API
There was a problem hiding this comment.
Are you saying that you think we should bring the Gateway API into scope? Or just that that's the likely direction if/when ip filtering is added to Gateway API?
There was a problem hiding this comment.
addressing a bit of both actually, probably good to get a baseline of what we want to support done in HTTPProxy only to start with (so no Gateway API work here) as well as acknowledging that unless the upstream Gateway API project supports it natively we will have to write our own CR to handle that feature
we can follow on later with designs on what to do w/ Gateway API
design/ip-filtering-design.md
Outdated
| Note that: | ||
| - Allow rules cannot be mixed with Deny rules: it won't be evident if a deny rule should be an exception to an allow rule, or if an allow rule should be an exception to a deny rule. | ||
| - Multiple allow/deny CIDR ranges can be specified by repeating a key. | ||
| - `peer` refers to the request IP |
There was a problem hiding this comment.
writing down how exactly these concepts fold into the Envoy RBAC configuration fields would be good to make sure to head off any confusion early
There was a problem hiding this comment.
Is the terminology peer and remote originating from Ambassador? Envoy seems to use direct_remote_ip and remote_ip. Which one is better to align?
There was a problem hiding this comment.
Yep, I took that from Ambassador (it was linked in one of the original GH issues on ip filtering). I don't have a strong opinion on the fields names, if direct_remote and remote sound better.
There was a problem hiding this comment.
Is the terminology
peerandremoteoriginating from Ambassador? Envoy seems to usedirect_remote_ipandremote_ip. Which one is better to align?
I like the latter
|
Thanks for the review @sunjayBhatia - I'll work on ironing out the envoy details and update here. |
design/ip-filtering-design.md
Outdated
|
|
||
| ## Goals | ||
|
|
||
| - Support ip allowlists and denylists via Contour APIs. |
| ``` | ||
|
|
||
| Note that: | ||
| - Allow rules cannot be mixed with Deny rules: it won't be evident if a deny rule should be an exception to an allow rule, or if an allow rule should be an exception to a deny rule. |
There was a problem hiding this comment.
This means allow rule starts from "deny all" right? Maybe mention that explicitly?
design/ip-filtering-design.md
Outdated
| Note that: | ||
| - Allow rules cannot be mixed with Deny rules: it won't be evident if a deny rule should be an exception to an allow rule, or if an allow rule should be an exception to a deny rule. | ||
| - Multiple allow/deny CIDR ranges can be specified by repeating a key. | ||
| - `peer` refers to the request IP |
There was a problem hiding this comment.
Is the terminology peer and remote originating from Ambassador? Envoy seems to use direct_remote_ip and remote_ip. Which one is better to align?
ecordell
force-pushed
the
ipfilterdesign
branch
from
5678b08 to
9142ba7
Compare
|
@sunjayBhatia @tsaarni I addressed most of the feedback and made a couple of updates to the proposed API. I've implemented this in #5008 with the understanding that we may need to adjust it if we change anything here first. Implementing it was the easiest way to suss out exactly how envoy's rbac filter actually works in practice. |
|
Since I think the API design is what probably requires the most discussion, here are some alternatives to think about:
ipAllowPolicy:
- cidr: 127.0.0.1/32
source: Peer
#or
ipDenyPolicy:
- cidr: 99.99.0.0/16
source: Remote
ipFilterPolicy:
- allow: 127.0.0.1/32
source: Peer
- allow: 99.99.0.0/16
source: Peer
#or
ipFilterPolicy:
- deny: 99.99.0.0/16
source: Remote
ipFilterPolicy:
- allow: 127.0.0.1/32
source: DirectRemote
- allow: 99.99.0.0/16
source: Remote
#or
ipFilterPolicy:
- deny: 99.99.0.0/16
source: Remote
ipAllowPolicy:
- directRemote: 127.0.0.1/32
- remote: 99.99.0.0/16
#or
ipDenyPolicy:
- remote: 99.99.0.0/16
Another api question is whether bare ips should be interpreted as |
I'm in favor of being more explicit, I don't think it's too bad to ask people to add |
|
Also I'm somewhat in favor of the options that have only one top-level field, just so there are less keys to have to configure and people don't get the impression just looking at the shape of the API that they could combine allow and deny policies on a route |
I tend to agree, but for what it's worth the nginx whitelist feature supports single-ips in the filter. |
|
@ecordell any progress? |
|
|
@ecordell, thx for your work, I can't wait to use it, btw I saw there are two branches: |
|
Thanks @izturn!
|
|
got it |
There was a problem hiding this comment.
looks like adding support for per-virtualhost filtering is something people are enthusiastic about as well
we can move forward with the design as-is and add to it in a follow-up PR or add it here, up to you @ecordell
|
The Contour project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to the #contour channel in the Kubernetes Slack |
github-actions
bot
added
the
lifecycle/stale
|
@sunjayBhatia I'll work on updating for virtualhost filtering, sorry for the silence |
github-actions
bot
removed
the
lifecycle/stale
|
Late to the party on this one. Is supporting the |
not at the moment, no, but if you're willing to contribute an addendum to this document or an additional feature once this is merged/agreed upon we will of course consider it |
ecordell
force-pushed
the
ipfilterdesign
branch
from
9142ba7 to
79205d3
Compare
|
@sunjayBhatia doc is updated for virtualhost-level ip filtering It's implemented in #5008 as well |
sunjayBhatia
requested review from
sunjayBhatia,
wilsonwu and
izturn
and removed request for
wilsonwu
| ## Goals | ||
|
|
||
| - Support ipv4 and ipv6 allowlists and denylists via Contour APIs. | ||
| - Support filtering on request IP or on forwarded IP (i.e. via `X-Forwarded-For`) |
There was a problem hiding this comment.
From the change log:
Filters can indicate whether the direct IP should be used or whether a reported IP from
PROXYorX-Forwarded-Forshould be used instead.
maybe we need to unify them all
There was a problem hiding this comment.
maybe we need to unify them all
Not sure I'm following your suggestion, would you mind rephrasing it?
This proposal is to use the envoy implementation, which does support PROXY in addition to X-Forwarded-For, if that's your question?
There was a problem hiding this comment.
Sorry for my pool english, I means the descriptions in these two places need to be consistent.
There was a problem hiding this comment.
Taking this and the implementation in #5008 together I think this is good to approve, the open questions I had that weren't explicitly covered here were around how exactly the overrides would work (virtualhost config overridden per-route) and how includes would work, but looks like that is already tested in the implementation so we can discuss there
I'll leave this open for a little longer in case anyone else wants to chime in
There was a problem hiding this comment.
one more thought I just had would be to nail down what the precedence of the RBAC filter is when combined with other filters
i.e. should IP filtering happen before rate limiting, ExtAuth etc.
since the filter ends up getting applied as a per-route filter this might mean it is evaluated later than people would expect
Signed-off-by: Evan Cordell <[email protected]>
ecordell
force-pushed
the
ipfilterdesign
branch
from
79205d3 to
af885f2
Compare
I took a stab at a proposal to address #3693
I haven't looked deeply at the envoy filters available for this, but I wrote down what looked like would work based on the docs.