I need to support allow/deny policies based on origin ips for TCP services.
I’m using rbac network filters through
EnvoyFilter to accomplish this task, but it’s only giving results at ingress level and not when applying configuration to other workloads.
I stumbled upon a similar problem when trying to do this for http services through
AuthorizationPolicy, but was able to preserve ips at specific workloads by relying on the
remoteIp option using
http rbac filters, as per Authorization Policy IP allow/deny not working on services different than ingress-gateway.
I was expecting to get the same functionality for tcp services, but looks like i’m missing something. The following envoyfilter was used on a single-node mongodb deployment. Tested on EKS using NLB and
externalTrafficPolicy already set to
kind: EnvoyFilter apiVersion: networking.istio.io/v1alpha3 metadata: labels: app: mongodb-deployment name: mongodb-rbac-network-envoyfilter spec: configPatches: - applyTo: NETWORK_FILTER # http connection manager is a filter in Envoy match: context: SIDECAR_INBOUND patch: operation: INSERT_BEFORE value: name: envoy.filters.network.rbac typed_config: "@type": "type.googleapis.com/envoy.config.filter.network.rbac.v2.RBAC" stat_prefix: mongodb rules: action: DENY policies: policy-default-DENY-27017: permissions: - any: true principals: - remote_ip: address_prefix: 18.104.22.168 prefix_len: 32 workloadSelector: labels: app.kubernetes.io/instance: mongodb