-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature Request: Filter/route ingress traffic based on downstream service #160
Comments
Just to add a use-case for this. Virtual Services/Nodes are likely to be owned by different teams. Each team is likely going to own the Virtual Service and Node configuration (locked down with IAM such that only that team can update the configuration for it). In such a scenario it is very likely teams will want to "onboard" other virtual services (owned by other teams) to be allowed to consume their service, effectively white listed. Thus there is a need to whitelist clients or "frontend" services than can consume a given virtual service and the virtual nodes that make up that service. This would hook into rate limiting nicely, where a service in the mesh (client) could be configured to have access at a given req/s rate. |
Yup, this all makes sense to me. When you think about filtering / authorizing ingress traffic, a few questions come to mind:
I think there are certainly tie-ins to #34 and #81 (and of course, #107), but I'd like to understand if we should be building something more so you don't need to think about what identity solution you're using within the mesh. |
While I think @bcelenza hit filter/authz scenario, I'm v curious about the routing story! My questions are
|
@dastbe As for the implementation of this feature and your second question, would it be possible to filter ingress traffic at the receiving end rather than limit the distribution of routes to permitted nodes only? Both implementations would work but when troubleshooting configuration issues, the absence of routes in the configuration is harder to troubleshoot than an explicit set of filters in the configuration of the ingress envoy proxy.
|
Tell us about your request
Provide a way to control which VirtualNodes can access a service.
Which integration(s) is this request for?
All, I think.
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
We are trying to find a way to limit or control what virtual nodes can communicate to, within the Mesh network. Currently, it is only possible to explicitly define the backends services of a virtual node. We would like to be able to define the frontends nodes of a virtual service.
Are you currently working around this issue?
We haven't found an alternative/workaround yet. One possible way to achieve this would be to use a virtual router that matches specific headers in the request (e.g. using the header
x-envoy-downstream-service-node
) but AppMesh does not seem to inject any header that would allow us to route requests based on the identity of the downstream service.Additional context
I had a look at TLS & IAM Role authorisation but not of those seem to be able to prevent or limit a node from communicating with a virtual service.
The text was updated successfully, but these errors were encountered: