Support IP whitelist

[uniduan]

Description:
Does envoy gateway support IP whitelist?
How to use it?

[oowl]

I see that the code base only supports JWT authentication for now, but luckily Envoy has an RBAC filter that can meet your needs, we need to do some development work to support this. https://www.envoyproxy.io/docs/envoy/v1.9.0/api-v2/config/rbac/v2alpha/rbac.proto#envoy-api-field-config-rbac-v2alpha-principal-source-ip
https://www.envoyproxy.io/docs/envoy/v1.9.0/api-v2/config/filter/http/rbac/v2/rbac.proto#config-filter-http-rbac-v2-rbacperroute

[oowl]

If possible, I can try to support this. What do you think? @arkodg

[arkodg]

thanks for raising this issue, here's how I think we should approach this feature.

• Long Term - Add Support to Upstream Gateway API. There already seems to be an open issue
  Enhancement: add HTTPRoute IP ACL's kubernetes-sigs/gateway-api#1141 . Since upstream API consensus takes a while, this might not be available for use any time soon.
• Mid Term - Similar to JWT Authentication Filter, EG can create another Extension API called IPBlockList, but this will result in many CRDs, one for each feature, which is hard to mantain in this repo. @kflynn & @AliceProxy have been looking into building higher level nouns (e.g. NetworkingFilter , GatewayPolicy, RoutePolicy) so we can build one high level CRD, and add these features as top level fields within them.
• Short Term - As a workaround, you should be able to directly edit/patch xDS Filters using Allow users to configure xDS resources #24 / feat: EnvoyPatchPolicy API #1410 which should be part of v0.5.0 that will be released in July 2023

[uniduan]

Thanks for your help. I'll try the RBAC filter.

[arkodg]

reopening this issue, and adding the help-wanted label in case someone from the community wants to take this forward

We now have an API to be able to hold this feature - ClientTrafficPolicy which is a good home for this feature

Temporary solution: we've added support for EnvoyPatchPolicy https://gateway.envoyproxy.io/latest/user/envoy-patch-policy.html which can be used to directly configure the RBAC Filter
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/rbac/v3/rbac.proto#envoy-v3-api-msg-config-rbac-v3-rbac

[Xunzhuo]

Should be better to add into SecurityPolicy ? @envoyproxy/gateway-maintainers

[arkodg]

a decision needs to be made here on whether ip blocking is part of SecurityPolicy or ClientTrafficPolicy . This boils down to use cases -

• if ip blocking is handled primarily by network admin / platform admin, it should be included in ClientTrafficPolicy
• if ip blocking is defined by app devs, it should be made part of SecurityPolicy

I vote to make it part of ClientTrafficPolicy because Ive seen network/infra admins perform this op. App Devs can always use rate limiting to limit requests from a specific subset of IPs to a small value or 0 for their business use case

[zzjin]

May GEP-713 can solve this problem?

eg:

• app devs can define ip whitelist/blacklist policy and attach it to *route
• sysadm can also define these policy and attach to gateway(and/or sub route), and even drop app devs policy.

[arkodg]

@zzjin SecurityPolicy & ClientTrafficPolicy are implementations of https://gateway-api.sigs.k8s.io/geps/gep-713/

[arkodg]

dup of #2462