gateway icon indicating copy to clipboard operation
gateway copied to clipboard

Published 20 hours ago verified publisher icon envoyproxy

Gateway do not obey SecurityPolicy and authorization with clientCIDRS

Open zs-ko opened this issue 5 months ago • 4 comments

Description:

What issue is being seen? Describe what should be happening instead of

when applying a security policy against a gateway with authorization and a rule with principal clientCIDRS the gateway still accepts connections that is not permitted.

Expected rule to apply to gateway and block traffic as defaultAction is Deny. Status of the security policy is accepted but the config is not changed to reflect this.

Repro steps:

Include sample requests, environment, etc. All data and inputs

create gateway apply security policy try to open a tls connection against gateway

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: gwtest
spec:
  gatewayClassName: eg
  listeners:
  - name: tls
    protocol: TLS
    port: 443
    hostname: somehost.domain.com
    allowedRoutes:
      namespaces:
        from: All
    tls:
      mode: Terminate
      certificateRefs:
      - kind: Secret
        group: ''
        name: tls-cert
---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: authorization-test
spec:
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: gwtest
  authorization:
    defaultAction: Deny
    rules:
    - action: Allow
      principal:
        clientCIDRs:
        - 8.8.8.8/32

Note: If there are privacy concerns, sanitize the data prior to sharing.

After lookin at the code is seems for me that only httproute is supported for authorization and clientcidrs

Environment:

Include the environment like gateway version, envoy version and so on.

using envoyproxy/gateway:v1.1.1 and envoyproxy/envoy:distroless-v1.31.0

Logs:

Include the access logs and the Envoy logs.

2024-09-17T09:20:35.025Z	INFO	provider	kubernetes/status_updater.go:140	received a status update	{"runner": "provider", "namespace": "test", "name": "authorization-test"}
2024-09-17T09:20:35.040Z	INFO	provider	kubernetes/status_updater.go:140	received a status update	{"runner": "provider", "namespace": "test", "name": "testgateway"}
2024-09-17T09:20:35.041Z	INFO	provider.testgateway.test	kubernetes/status_updater.go:104	status unchanged, bypassing update	{"runner": "provider"}

zs-ko avatar Sep 17 '24 09:09 zs-ko