contour icon indicating copy to clipboard operation
contour copied to clipboard

Published 20 hours ago verified publisher icon projectcontour

Expose Envoy's network rbac filter configuration in contour

Open jmboby opened this issue 4 years ago • 5 comments

I'd like to be able to use envoy to do things such as tcp ip whitelisting. I believe this is possible with envoy's network rbac filter: https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/network_filters/rbac_filter

Describe the solution you'd like Expose envoy's network rbac filter configuration in Contour, .....via configmaps would be best.

jmboby avatar Oct 02 '20 04:10 jmboby

Similar underlying use cases as https://github.com/projectcontour/contour/issues/2888

jpeach avatar Oct 04 '20 21:10 jpeach

// cc #66

stevesloka avatar Dec 08 '20 14:12 stevesloka

We need to come up with an idea around how to expose this in a Configmap (or should this be in a CRD?).

Exposing the Envoy config style would be the simplest (https://www.envoyproxy.io/docs/envoy/v1.16.0/api-v3/config/rbac/v3/rbac.proto#role-based-access-control-rbac), but not the easiest to manage within a configmap.

stevesloka avatar Dec 08 '20 14:12 stevesloka

This change is certainly big enough to require a design document laying out:

  • what we're adding (ie are we adding only allowlist support, or are we exposing the full RBAC featureset)
  • Why are we adding it? (What use cases are we solving? Just the network access control, or are we allowing more stuff than that. Envoy's full RBAC is also used for service-mesh things with identity, which we don't currently do. Should we be adding that as part of this?)
  • How will we add it? A CRD? A ConfigMap? This seems closely connected to the scope - if we are only adding allowlisting, then that's very different to if we're exposing the full scope of the RBAC filter.

youngnick avatar Dec 14 '20 22:12 youngnick

Ambassador has added similar functionality with a neat design: https://www.getambassador.io/docs/edge-stack/latest/topics/running/ambassador/#ip-allow-and-deny

youngnick avatar Aug 03 '22 09:08 youngnick

Checking in - I am a contour user and I would like to push for this change. Is there anyway in which I can contribute with anything?

pratiklotia avatar Aug 04 '23 21:08 pratiklotia

@pratiklotia have you looked at https://projectcontour.io/docs/1.25/config/ip-filtering/? This uses the HTTP RBAC filter.

skriss avatar Aug 22 '23 19:08 skriss

@skriss Thank you Steve.

pratiklotia avatar Sep 01 '23 15:09 pratiklotia

The Contour project currently lacks enough contributors to adequately respond to all Issues.

This bot triages Issues according to the following rules:

  • After 60d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, the Issue is closed

You can:

  • Mark this Issue as fresh by commenting
  • Close this Issue
  • Offer to help out with triage

Please send feedback to the #contour channel in the Kubernetes Slack

github-actions[bot] avatar Jan 08 '24 00:01 github-actions[bot]

The Contour project currently lacks enough contributors to adequately respond to all Issues.

This bot triages Issues according to the following rules:

  • After 60d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, the Issue is closed

You can:

  • Mark this Issue as fresh by commenting
  • Close this Issue
  • Offer to help out with triage

Please send feedback to the #contour channel in the Kubernetes Slack

github-actions[bot] avatar Feb 09 '24 00:02 github-actions[bot]