Skip to content

Commit

Permalink
support setting trusted CIDRs
Browse files Browse the repository at this point in the history
Signed-off-by: Rudrakh Panigrahi <[email protected]>
  • Loading branch information
rudrakhp committed Oct 24, 2024
1 parent 9353be2 commit 3c83553
Show file tree
Hide file tree
Showing 7 changed files with 54 additions and 35 deletions.
16 changes: 14 additions & 2 deletions api/v1alpha1/clienttrafficpolicy_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -237,14 +237,26 @@ type ClientIPDetectionSettings struct {
}

// XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address.
// Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
// for more details.
// +kubebuilder:validation:XValidation:rule="(has(self.numTrustedHops) && !has(self.trustedCIDRs)) || (!has(self.numTrustedHops) && has(self.trustedCIDRs))", message="either numTrustedHops or trustedCIDRs must be set"
type XForwardedForSettings struct {
// NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
// headers to trust when determining the origin client's IP address.
// Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
// for more details.
// Only one of NumTrustedHops and TrustedCIDRs must be set.
//
// +optional
NumTrustedHops *uint32 `json:"numTrustedHops,omitempty"`

// TrustedCIDRs is a list of trusted CIDRs to trust when
// evaluating the remote IP address to determine the original client's IP address.
// Only one of NumTrustedHops and TrustedCIDRs must be set.
//
// +optional
// +kubebuilder:validation:MinItems=1
// +kubebuilder:validation:ItemsFormat=cidr
// +notImplementedHide
TrustedCIDRs []string `json:"trustedCIDRs,omitempty"`
}

// CustomHeaderExtensionSettings provides configuration for determining the client IP address for a request based on
Expand Down
5 changes: 5 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -85,11 +85,23 @@ spec:
description: |-
NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
headers to trust when determining the origin client's IP address.
Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
for more details.
Only one of NumTrustedHops and TrustedCIDRs must be set.
format: int32
type: integer
trustedCIDRs:
description: |-
TrustedCIDRs is a list of trusted CIDRs to trust when
evaluating the remote IP address to determine the original client's IP address.
Only one of NumTrustedHops and TrustedCIDRs must be set.
items:
type: string
minItems: 1
type: array
type: object
x-kubernetes-validations:
- message: either numTrustedHops or trustedCIDRs must be set
rule: (has(self.numTrustedHops) && !has(self.trustedCIDRs))
|| (!has(self.numTrustedHops) && has(self.trustedCIDRs))
type: object
x-kubernetes-validations:
- message: customHeader cannot be used in conjunction with xForwardedFor
Expand Down
34 changes: 5 additions & 29 deletions release-notes/current.yaml
Original file line number Diff line number Diff line change
@@ -1,29 +1,5 @@
date: Pending

# Changes that are expected to cause an incompatibility with previous versions, such as deletions or modifications to existing APIs.
breaking changes: |
- Add a breaking change here
# Updates addressing vulnerabilities, security flaws, or compliance requirements.
security updates: |
- Add a security update here
# New features or capabilities added in this release.
new features: |
- Add a new feature here
# Fixes for bugs identified in previous versions.
bug fixes: |
- Add a bug fix here
# Enhancements that improve performance.
performance improvements: |
- Add a performance improvement here
# Deprecated features or APIs.
deprecations: |
- Add a deprecation here
# Other notable changes not covered by the above sections.
Other changes: |
- Add other changes here
date: Oct 23, 2022
changes:
- area: api
change: |
Support setting trusted CIDRs
4 changes: 3 additions & 1 deletion site/content/en/latest/api/extension_types.md
Original file line number Diff line number Diff line change
Expand Up @@ -4250,13 +4250,15 @@ _Appears in:_


XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address.
Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
for more details.

_Appears in:_
- [ClientIPDetectionSettings](#clientipdetectionsettings)

| Field | Type | Required | Description |
| --- | --- | --- | --- |
| `numTrustedHops` | _integer_ | false | NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP<br />headers to trust when determining the origin client's IP address.<br />Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for<br />for more details. |
| `numTrustedHops` | _integer_ | false | NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP<br />headers to trust when determining the origin client's IP address.<br />Only one of NumTrustedHops and TrustedCIDRs must be set. |


#### ZipkinTracingProvider
Expand Down
10 changes: 10 additions & 0 deletions site/content/en/news/releases/notes/current.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
---
title: "current"
publishdate: 2022-10-23
---

Date: Oct 23, 2022

## API
- Support setting trusted CIDRs

4 changes: 3 additions & 1 deletion site/content/zh/latest/api/extension_types.md
Original file line number Diff line number Diff line change
Expand Up @@ -4250,13 +4250,15 @@ _Appears in:_


XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address.
Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
for more details.

_Appears in:_
- [ClientIPDetectionSettings](#clientipdetectionsettings)

| Field | Type | Required | Description |
| --- | --- | --- | --- |
| `numTrustedHops` | _integer_ | false | NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP<br />headers to trust when determining the origin client's IP address.<br />Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for<br />for more details. |
| `numTrustedHops` | _integer_ | false | NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP<br />headers to trust when determining the origin client's IP address.<br />Only one of NumTrustedHops and TrustedCIDRs must be set. |


#### ZipkinTracingProvider
Expand Down

0 comments on commit 3c83553

Please sign in to comment.