[ I tried the Envoy slack but it seems mostly inactive so trying here.
I haven't joined this list, please CC any responses to
c...@aaaaa.org. ]
I'm not very familiar with Envoy and don't know how much I'll be
working with it, but I have a need to modify an existing (and large)
Envoy configuration, and having trouble figuring out if what I want
can be done.
Configuration is generated by a homegrown script, which is what I'll
actually modify, to autogenerate a modified config. Currently, this
configuration has:
- multiple listeners
- each listener has one or more filterChains
- each filterChain has envoy.filters.network.rbac as its first filter
- most filterChains then have a second filter that does other things
- the network.rbac filters are all identical (generated from the script);
each one has rules.action=DENY, rules.policies with a list of
principals which are all directRemoteIp - a set of IP ranges to deny
In other words, the current configuration applies a deny list of IP
ranges to every listener, and the default is to allow if the source
IP is not in one of those ranges.
What I need to add is an allow list that pre-empts the deny list:
a list of IP ranges to always allow, even if they match the deny
list. The rest of the behavior needs to stay the same. In other
words, the new behavior would be:
- If source IP is on the allow list, allow
- If it is not, then if it is on the deny list, deny
- If on neither list, then allow
I'm having a very hard time figuring out how to do this, even though
it seems like it should be easy and straightforward. Here's what I
think I've learned:
1. It is impossible to define a single rbac filter with a short
circuit chain of rules like this. The filter can either be entirely a
DENY filter (that is, default allow, but deny what matches the
policies) or entirely an ALLOW filter (that is, default deny, but
allow what matches the policies). Each filter can only have a single
"rules", which can only have one "action" (why "rules" not "rule"?)
2. Since each RBAC "rules" is part of a filter that is part of a
filterChains, and a filterChains can actually have multiple filters,
I considered whether I can use this chaining to get this behavior.
However, it looks like each chain will always go through all of the
filters in its list in turn, so having an allow-list filter before
the deny-list filter would have no effect - those IPs would still
get blocked.
3. Even if I'm wrong about #2 and filterChains can be made to have
with a short circuit, where first match wins, that would still not
work here. We need the subsequent rule that comes after the RBAC
filter to be processed whenever traffic is allowed; an allow list
that prevents that last filter from being processed would be bad.
4. "matcher" appears to be an alternative to "rules" that may be
able to do exactly what I want. But it has a big warning in the
docs saying that it's basically not supported yet, so we can't
use it for production configs.
Please correct me if any of my impressions above are wrong.
Creating a simple chain of allow and deny rules seems pretty basic, so
I'm surprised it's so hard to do with Envoy. Am I missing something?
-- Cos