I need to support allow/deny policies based on origin ips for TCP services.
I’m using rbac network filters through EnvoyFilter to accomplish this task, but it’s only giving results at ingress level and not when applying configuration to other workloads.
I stumbled upon a similar problem when trying to do this for http services through ipBlocks using
AuthorizationPolicy, but was able to preserve ips at specific workloads by relying on the remoteIp option using http rbac filters, as per Authorization Policy IP allow/deny not working on services different than ingress-gateway.
I was expecting to get the same functionality for tcp services, but looks like i’m missing something. The following envoyfilter was used on a single-node mongodb deployment. Tested on EKS using NLB and externalTrafficPolicy already set to local.
kind: EnvoyFilter
apiVersion: networking.istio.io/v1alpha3
metadata:
labels:
app: mongodb-deployment
name: mongodb-rbac-network-envoyfilter
spec:
configPatches:
- applyTo: NETWORK_FILTER # http connection manager is a filter in Envoy
match:
context: SIDECAR_INBOUND
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.network.rbac
typed_config:
"@type": "type.googleapis.com/envoy.config.filter.network.rbac.v2.RBAC"
stat_prefix: mongodb
rules:
action: DENY
policies:
policy-default-DENY-27017:
permissions:
- any: true
principals:
- remote_ip:
address_prefix: 166.116.206.108
prefix_len: 32
workloadSelector:
labels:
app.kubernetes.io/instance: mongodb