I am trying to achieve the following with Envoy:
- Allow TCP traffic to a Postgres service with RBAC rules to allow only a few IPs.
This is my listener setup.
- name: listener_postgres
address:
socket_address:
protocol: TCP
address: 0.0.0.0
port_value: 54322
filter_chains:
filters:
- name: envoy.filters.network.rbac
config:
stat_prefix: rbac_postgres
rules:
action: ALLOW
policies:
"allow":
permissions:
- any: true
principals:
- source_ip:
address_prefix: XX.XX.XX.XX
prefix_len: 32
- source_ip:
address_prefix: XX.XX.XX.XX
prefix_len: 32
- source_ip:
address_prefix: XX.XX.XX.XX
prefix_len: 32
- name: envoy.tcp_proxy
config:
stat_prefix: tcp_postgres
cluster: database_service
I can confirm that the service is setup correctly because I can remove the RBAC rules and I can connect successfully.
When the RBAC rules are added I can not connect to the Postgres database.
But for some reason nothing seems to work, I have also tried remote_ip and direct_remote_ip in place of source_ip.
Am I doing something wrong?
Thanks
It seems that setting the attribute to 'remote_ip' as suggested by Rahul Pratap worked.
Here is a working example: