diff --git a/api/v1alpha1/clienttrafficpolicy_types.go b/api/v1alpha1/clienttrafficpolicy_types.go index 63b2c91fb2ec..e713dfe41c6b 100644 --- a/api/v1alpha1/clienttrafficpolicy_types.go +++ b/api/v1alpha1/clienttrafficpolicy_types.go @@ -237,14 +237,25 @@ type ClientIPDetectionSettings struct { } // XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address. +// Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for +// for more details. +// +kubebuilder:validation:XValidation:rule="(has(self.numTrustedHops) && !has(self.trustedCIDRs)) || (!has(self.numTrustedHops) && has(self.trustedCIDRs))", message="only one of numTrustedHops or trustedCIDRs must be set" type XForwardedForSettings struct { // NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP // headers to trust when determining the origin client's IP address. - // Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for - // for more details. + // Only one of NumTrustedHops and TrustedCIDRs must be set. // // +optional NumTrustedHops *uint32 `json:"numTrustedHops,omitempty"` + + // TrustedCIDRs is a list of CIDRs to trust when evaluating + // the remote IP address to determine the original client's IP address. + // Only one of NumTrustedHops and TrustedCIDRs must be set. + // + // +optional + // +kubebuilder:validation:MinItems=1 + // +notImplementedHide + TrustedCIDRs []CIDR `json:"trustedCIDRs,omitempty"` } // CustomHeaderExtensionSettings provides configuration for determining the client IP address for a request based on diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 321a143df9c5..3368e73dd707 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -5579,6 +5579,11 @@ func (in *XForwardedForSettings) DeepCopyInto(out *XForwardedForSettings) { *out = new(uint32) **out = **in } + if in.TrustedCIDRs != nil { + in, out := &in.TrustedCIDRs, &out.TrustedCIDRs + *out = make([]CIDR, len(*in)) + copy(*out, *in) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new XForwardedForSettings. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml index 3e626f3f88ad..3bf117d39b38 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml @@ -85,11 +85,28 @@ spec: description: |- NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP headers to trust when determining the origin client's IP address. - Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for - for more details. + Only one of NumTrustedHops and TrustedCIDRs must be set. format: int32 type: integer + trustedCIDRs: + description: |- + TrustedCIDRs is a list of CIDRs to trust when evaluating + the remote IP address to determine the original client's IP address. + Only one of NumTrustedHops and TrustedCIDRs must be set. + items: + description: |- + CIDR defines a CIDR Address range. + A CIDR can be an IPv4 address range such as "192.168.1.0/24" or an IPv6 address range such as "2001:0db8:11a3:09d7::/64". + pattern: ((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]+))|((([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\/([0-9]+)) + type: string + minItems: 1 + type: array type: object + x-kubernetes-validations: + - message: only one of numTrustedHops or trustedCIDRs must be + set + rule: (has(self.numTrustedHops) && !has(self.trustedCIDRs)) + || (!has(self.numTrustedHops) && has(self.trustedCIDRs)) type: object x-kubernetes-validations: - message: customHeader cannot be used in conjunction with xForwardedFor diff --git a/release-notes/current.yaml b/release-notes/current.yaml index bfc711148bde..39e8a900c478 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -10,7 +10,7 @@ security updates: | # New features or capabilities added in this release. new features: | - Add a new feature here + - Added support for trusted CIDRs in the ClientIPDetectionSettings API # Fixes for bugs identified in previous versions. bug fixes: | diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 2999d46410c1..511b707de74f 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -525,6 +525,7 @@ A CIDR can be an IPv4 address range such as "192.168.1.0/24" or an IPv6 address _Appears in:_ - [Principal](#principal) +- [XForwardedForSettings](#xforwardedforsettings) @@ -4267,13 +4268,15 @@ _Appears in:_ XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address. +Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for +for more details. _Appears in:_ - [ClientIPDetectionSettings](#clientipdetectionsettings) | Field | Type | Required | Description | | --- | --- | --- | --- | -| `numTrustedHops` | _integer_ | false | NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
headers to trust when determining the origin client's IP address.
Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
for more details. | +| `numTrustedHops` | _integer_ | false | NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
headers to trust when determining the origin client's IP address.
Only one of NumTrustedHops and TrustedCIDRs must be set. | #### ZipkinTracingProvider diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 2999d46410c1..511b707de74f 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -525,6 +525,7 @@ A CIDR can be an IPv4 address range such as "192.168.1.0/24" or an IPv6 address _Appears in:_ - [Principal](#principal) +- [XForwardedForSettings](#xforwardedforsettings) @@ -4267,13 +4268,15 @@ _Appears in:_ XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address. +Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for +for more details. _Appears in:_ - [ClientIPDetectionSettings](#clientipdetectionsettings) | Field | Type | Required | Description | | --- | --- | --- | --- | -| `numTrustedHops` | _integer_ | false | NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
headers to trust when determining the origin client's IP address.
Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
for more details. | +| `numTrustedHops` | _integer_ | false | NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
headers to trust when determining the origin client's IP address.
Only one of NumTrustedHops and TrustedCIDRs must be set. | #### ZipkinTracingProvider diff --git a/test/cel-validation/clienttrafficpolicy_test.go b/test/cel-validation/clienttrafficpolicy_test.go index 3558d1848f97..9452c6010be5 100644 --- a/test/cel-validation/clienttrafficpolicy_test.go +++ b/test/cel-validation/clienttrafficpolicy_test.go @@ -221,6 +221,91 @@ func TestClientTrafficPolicyTarget(t *testing.T) { "spec.clientIPDetection: Invalid value: \"object\": customHeader cannot be used in conjunction with xForwardedFor", }, }, + { + desc: "clientIPDetection numTrustedHops and trustedCIDRs", + mutate: func(ctp *egv1a1.ClientTrafficPolicy) { + ctp.Spec = egv1a1.ClientTrafficPolicySpec{ + PolicyTargetReferences: egv1a1.PolicyTargetReferences{ + TargetRef: &gwapiv1a2.LocalPolicyTargetReferenceWithSectionName{ + LocalPolicyTargetReference: gwapiv1a2.LocalPolicyTargetReference{ + Group: gwapiv1a2.Group("gateway.networking.k8s.io"), + Kind: gwapiv1a2.Kind("Gateway"), + Name: gwapiv1a2.ObjectName("eg"), + }, + }, + }, + ClientIPDetection: &egv1a1.ClientIPDetectionSettings{ + XForwardedFor: &egv1a1.XForwardedForSettings{ + NumTrustedHops: ptr.To(uint32(1)), + TrustedCIDRs: []string{ + "192.168.1.0/24", + "10.0.0.0/16", + "172.16.0.0/12", + }, + }, + }, + } + }, + wantErrors: []string{ + "spec.clientIPDetection.xForwardedFor: Invalid value: \"object\": only one of numTrustedHops or trustedCIDRs must be set", + }, + }, + { + desc: "clientIPDetection invalid trustedCIDRs", + mutate: func(ctp *egv1a1.ClientTrafficPolicy) { + ctp.Spec = egv1a1.ClientTrafficPolicySpec{ + PolicyTargetReferences: egv1a1.PolicyTargetReferences{ + TargetRef: &gwapiv1a2.LocalPolicyTargetReferenceWithSectionName{ + LocalPolicyTargetReference: gwapiv1a2.LocalPolicyTargetReference{ + Group: gwapiv1a2.Group("gateway.networking.k8s.io"), + Kind: gwapiv1a2.Kind("Gateway"), + Name: gwapiv1a2.ObjectName("eg"), + }, + }, + }, + ClientIPDetection: &egv1a1.ClientIPDetectionSettings{ + XForwardedFor: &egv1a1.XForwardedForSettings{ + TrustedCIDRs: []string{ + "192.0124.1.0/24", + "10.0.0.0/1645", + "17212.16.0.0/123", + }, + }, + }, + } + }, + wantErrors: []string{ + "spec.clientIPDetection.xForwardedFor.trustedCIDRs[0]: Invalid value: \"192.0124.1.0/24\": spec.clientIPDetection.xForwardedFor.trustedCIDRs[0] in body should match '^((25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\\.){3}(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])/(3[0-2]|[12]?[0-9])$'", + "spec.clientIPDetection.xForwardedFor.trustedCIDRs[1]: Invalid value: \"10.0.0.0/1645\": spec.clientIPDetection.xForwardedFor.trustedCIDRs[1] in body should match '^((25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\\.){3}(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])/(3[0-2]|[12]?[0-9])$'", + "spec.clientIPDetection.xForwardedFor.trustedCIDRs[2]: Invalid value: \"17212.16.0.0/123\": spec.clientIPDetection.xForwardedFor.trustedCIDRs[2] in body should match '^((25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\\.){3}(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])/(3[0-2]|[12]?[0-9])$'", + }, + }, + { + desc: "clientIPDetection valid trustedCIDRs", + mutate: func(ctp *egv1a1.ClientTrafficPolicy) { + ctp.Spec = egv1a1.ClientTrafficPolicySpec{ + PolicyTargetReferences: egv1a1.PolicyTargetReferences{ + TargetRef: &gwapiv1a2.LocalPolicyTargetReferenceWithSectionName{ + LocalPolicyTargetReference: gwapiv1a2.LocalPolicyTargetReference{ + Group: gwapiv1a2.Group("gateway.networking.k8s.io"), + Kind: gwapiv1a2.Kind("Gateway"), + Name: gwapiv1a2.ObjectName("eg"), + }, + }, + }, + ClientIPDetection: &egv1a1.ClientIPDetectionSettings{ + XForwardedFor: &egv1a1.XForwardedForSettings{ + TrustedCIDRs: []string{ + "192.168.1.0/24", + "10.0.0.0/16", + "172.16.0.0/12", + }, + }, + }, + } + }, + wantErrors: []string{}, + }, { desc: "http3 enabled and ALPN protocols not set with other TLS parameters set", mutate: func(ctp *egv1a1.ClientTrafficPolicy) {