rbac: support match based on destination cluster #4455
Comments
|
@lizan is the more general way to solve this to provide a list of allowed routable clusters (or blacklist) in the RouteConfiguration? I.e. is this more a policy issue best addressed in the control plane, where you would control beyond "private/internal" marking at the cluster level. |
htuch
added
design proposal
The general allow/deny list is already achievable with RBAC filter for both TCP and HTTP. Making a cluster private/internal is just an additional way to prevent leaking sensitive information from certain clusters (especially SDS) that you would never want traffic routed to. |
|
In general I would also prefer that we handle this in the RBAC filters. Is that what is being proposed here? |
|
@mattklein123 No, I'm proposing add a flag to cluster level that preventing traffic not generated by Envoy itself being routed to, without relying RBAC to be configured on every listeners/HCM. It is non-trivial to configure every listener/HCM with RBAC correctly to avoid external traffic to a specific cluster. |
To play devils advocate, why? This seems like an RBAC problem? Can't we have an RBAC rule to deny traffic that is destined for a particular route? It seems pretty straightforward to me? In general I would prefer to not add special cases to the router for things like this that IMO should be handled by RBAC? |
|
We don't have a mechanism to enforce RBAC globally across all listeners/HCMs? If there is a way to do that I'm fine with that too. |
Install the filter on every listener? |
Yeah sure it works, but IMO it is too much for just disallowing traffic to a certain clusters. (Note clusters might have credentials configured with it.) In HCM, the RBAC filter comes in front of router, so it need to be configured to match what It is technically possible to let control planes to figure out all of this and install RBAC filter (perhaps merge existing RBAC rules) accordingly. Though in most cases only certain clusters are private for internal use, there should be a fail-safe flag on cluster side for security in Envoy core, instead of having all logics above to compute RBAC rules. Thoughts? |
I see your point. Where I am mainly coming from is it's not clear to me that we should have multiple ways of doing something unless it is really necessary. This feels like an RBAC problem that we should solve with the RBAC filter, even if the management server needs to machine generate more config. @envoyproxy/maintainers anyone have any thoughts on this? |
|
I tend to agree with @mattklein123. I think my objection is that this change assumes there are only 2 classes of clusters. What if I have 3 classes instead, which are "routable from listener1 via header", "routable from listener2 via header", and "envoy-internal (xDS, etc)"? |
|
@ggreenway this is only for routable or not, more than that should be RBAC. Another point: this is also the difference between |
|
to throw to this mix, consider the case where the cluster name is taken from the SNI value? RBAC gets more complicated here as well. |
|
My earlier suggestion is really a preference that we put mechanism in Envoy and the policy in the management server. I think the question is how complicated is the implementation of a general whitelist/blacklist? If it's going to be O(100) lines of code, I think its worth making it general, any more complicated and yeah, sure, just a non-routable tag would make sense. An early API design principle is that the protos are intended to be machine generated, so we can err away from brevity here. |
|
With current implementations, it is tricky for control-planes to generate, especially for |
|
@lizan sorry I still don't understand why this is hard to do with the existing RBAC filter. Can you describe your use case in more detail? |
|
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions. |
stale
bot
added
the
stale
|
Sorry I didn't have a chance to revisit this. On a second thought, with current RBAC filter we at least need add destination cluster |
stale
bot
removed
the
stale
Agreed. This is generally useful. Please add! |
|
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions. |
stale
bot
added
the
stale
lizan
changed the title
stale
bot
removed
the
stale
lizan
added
help wanted
stale
bot
removed
the
stale
|
@lizan |
|
@yangminzhu yeah adding a rule to RBAC policy would be good. |
|
Hey all, sorry to dust off an old issue! |
Description:
Envoy can route traffic to clusters based on external given input, e.g.
cluster_headerin http_conn_manager, and there will be similar proposal for TCP in #4444. We should disallow traffic from listeners going to certain clusters, e.g. xDS API cluster (especially SDS), ratelimit cluster, ext_authz cluster etc.cc @rshriram
Relevant Links:
#4444 (comment)
The text was updated successfully, but these errors were encountered: