rbac: add support for upstream ip policy. (#17645)

Based on the dicsussion in the issue https://github.com/envoyproxy/envoy/issues/17410, this PR adds implementation for ability to add rbac policy to filter upstream ip addresses for dynamically resolved domains (by dynamic proxy filter). Signed-off-by: Jojy George Varghese <jojy_varghese@apple.com> Mirrored from https://github.com/envoyproxy/envoy @ 53f95570a7e9d7fa5414a4bc145852524fa017ed
3 years ago · 0ba1805d60
parent eb207d5661
commit 0ba1805d60
6 changed files with 62 additions and 1 deletions
--- a/1
+++ b/1
@ -201,6 +201,7 @@ proto_library(
        "//envoy/extensions/quic/crypto_stream/v3:pkg",
        "//envoy/extensions/quic/proof_source/v3:pkg",
        "//envoy/extensions/rate_limit_descriptors/expr/v3:pkg",
+        "//envoy/extensions/rbac/matchers/upstream_ip_port/v3:pkg",
        "//envoy/extensions/request_id/uuid/v3:pkg",
        "//envoy/extensions/resource_monitors/fixed_heap/v3:pkg",
        "//envoy/extensions/resource_monitors/injected_resource/v3:pkg",
--- a/envoy/config/rbac/v3/rbac.proto
+++ b/envoy/config/rbac/v3/rbac.proto
@ -3,6 +3,7 @@ syntax = "proto3";
 package envoy.config.rbac.v3;

 import "envoy/config/core/v3/address.proto";
+import "envoy/config/core/v3/extension.proto";
 import "envoy/config/route/v3/route_components.proto";
 import "envoy/type/matcher/v3/metadata.proto";
 import "envoy/type/matcher/v3/path.proto";
@ -146,7 +147,7 @@ message Policy {
 }

 // Permission defines an action (or actions) that a principal can take.
-// [#next-free-field: 12]
+// [#next-free-field: 13]
 message Permission {
  option (udpa.annotations.versioning).previous_message_type = "envoy.config.rbac.v2.Permission";

@ -218,6 +219,10 @@ message Permission {
    // Please refer to :ref:`this FAQ entry <faq_how_to_setup_sni>` to learn to
    // setup SNI.
    type.matcher.v3.StringMatcher requested_server_name = 9;
+
+    // Extension for configuring custom matchers for RBAC.
+    // [#extension-category: envoy.rbac.matchers]
+    core.v3.TypedExtensionConfig matcher = 12;
  }
 }

--- a/envoy/extensions/filters/http/dynamic_forward_proxy/v3/dynamic_forward_proxy.proto
+++ b/envoy/extensions/filters/http/dynamic_forward_proxy/v3/dynamic_forward_proxy.proto
@ -27,6 +27,12 @@ message FilterConfig {
  // <envoy_v3_api_field_extensions.clusters.dynamic_forward_proxy.v3.ClusterConfig.dns_cache_config>`.
  common.dynamic_forward_proxy.v3.DnsCacheConfig dns_cache_config = 1
      [(validate.rules).message = {required: true}];
+
+  // When this flag is set, the filter will add the resolved upstream address in the filter
+  // state. The state should be saved with key
+  // `envoy.stream.upstream_address` (See
+  // :repo:`upstream_address.h<source/common/stream_info/upstream_address.h>`).
+  bool save_upstream_address = 2;
 }

 // Per route Configuration for the dynamic forward proxy HTTP filter.
--- a/envoy/extensions/rbac/matchers/upstream_ip_port/v3/BUILD
+++ b/envoy/extensions/rbac/matchers/upstream_ip_port/v3/BUILD
@ -0,0 +1,13 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/config/core/v3:pkg",
+        "//envoy/type/v3:pkg",
+        "@com_github_cncf_udpa//udpa/annotations:pkg",
+    ],
+)
--- a/envoy/extensions/rbac/matchers/upstream_ip_port/v3/upstream_ip_port_matcher.proto
+++ b/envoy/extensions/rbac/matchers/upstream_ip_port/v3/upstream_ip_port_matcher.proto
@ -0,0 +1,35 @@
+syntax = "proto3";
+
+package envoy.extensions.rbac.matchers.upstream_ip_port.v3;
+
+import "envoy/config/core/v3/address.proto";
+import "envoy/type/v3/range.proto";
+
+import "udpa/annotations/status.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.rbac.matchers.upstream_ip_port.v3";
+option java_outer_classname = "UpstreamIpPortMatcherProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: RBAC upstream IP and port matcher plugin]
+// [#extension: envoy.rbac.matchers.upstream_ip_port]
+
+// This is configuration for matching upstream ip and port.
+// Note that although both fields are optional, at least one of IP or port must be supplied. If only
+// one is supplied the other is a wildcard match.
+// This matcher requires a filter in the chain to have saved the upstream address in the
+// filter state before the matcher is executed by RBAC filter. The state should be saved with key
+// `envoy.stream.upstream_address` (See
+// :repo:`upstream_address.h<source/common/stream_info/upstream_address.h>`).
+// Also, See :repo:`proxy_filter.cc<
+// source/extensions/filters/http/dynamic_forward_proxy/proxy_filter.cc>` for an example of a
+// filter which populates the FilterState.
+message UpstreamIpPortMatcher {
+  // A CIDR block that will be used to match the upstream IP.
+  // Both Ipv4 and Ipv6 ranges can be matched.
+  config.core.v3.CidrRange upstream_ip = 1;
+
+  // A port range that will be used to match the upstream port.
+  type.v3.Int64Range upstream_port_range = 2;
+}
--- a/versioning/BUILD
+++ b/versioning/BUILD
@ -153,6 +153,7 @@ proto_library(
        "//envoy/extensions/quic/crypto_stream/v3:pkg",
        "//envoy/extensions/quic/proof_source/v3:pkg",
        "//envoy/extensions/rate_limit_descriptors/expr/v3:pkg",
+        "//envoy/extensions/rbac/matchers/upstream_ip_port/v3:pkg",
        "//envoy/extensions/request_id/uuid/v3:pkg",
        "//envoy/extensions/resource_monitors/fixed_heap/v3:pkg",
        "//envoy/extensions/resource_monitors/injected_resource/v3:pkg",