Allow IPs with TCP Listener using RBAC (Envoy)

786 views Asked by At

I am trying to achieve the following with Envoy:

  • Allow TCP traffic to a Postgres service with RBAC rules to allow only a few IPs.

This is my listener setup.

    - name: listener_postgres
      address:
        socket_address:
          protocol: TCP
          address: 0.0.0.0
          port_value: 54322
      filter_chains:
        filters:
          - name: envoy.filters.network.rbac
            config:
              stat_prefix: rbac_postgres
              rules:
                action: ALLOW
                policies:
                  "allow":
                    permissions:
                      - any: true
                    principals:
                      - source_ip:
                          address_prefix: XX.XX.XX.XX
                          prefix_len: 32
                      - source_ip:
                          address_prefix: XX.XX.XX.XX
                          prefix_len: 32
                      - source_ip:
                          address_prefix: XX.XX.XX.XX
                          prefix_len: 32
          - name: envoy.tcp_proxy
            config:
              stat_prefix: tcp_postgres
              cluster: database_service

I can confirm that the service is setup correctly because I can remove the RBAC rules and I can connect successfully.

When the RBAC rules are added I can not connect to the Postgres database.

But for some reason nothing seems to work, I have also tried remote_ip and direct_remote_ip in place of source_ip.

Am I doing something wrong?

Thanks

2

There are 2 answers

0
Ben Osborne On BEST ANSWER

It seems that setting the attribute to 'remote_ip' as suggested by Rahul Pratap worked.

Here is a working example:

    - name: listener_postgres
      address:
        socket_address:
          protocol: TCP
          address: 0.0.0.0
          port_value: 54322
      filter_chains:
        filters:
          - name: envoy.filters.network.rbac
            config:
              stat_prefix: rbac_postgres
              rules:
                action: ALLOW
                policies:
                  "allow":
                    permissions:
                      - any: true
                    principals:
                      - remote_ip:
                          address_prefix: XX.XX.XX.XX
                          prefix_len: 32
          - name: envoy.tcp_proxy
            config:
              stat_prefix: tcp_postgres
              cluster: database_service
2
Rahul Pratap On

Hey I ran into the same issue and this is the configuration worked for me. I used remote_ip attribute. Also, check the updated filters names

- name: listener_postgres
      address:
        socket_address:
          protocol: TCP
          address: 0.0.0.0
          port_value: 54322
      filter_chains:
        filters:
          - name: envoy_rbac
            config:
              stat_prefix: rbac_postgres
              rules:
                action: ALLOW
                policies:
                  "allow":
                    permissions:
                      - any: true
                    principals:
                      - remote_ip:
                          address_prefix: XX.XX.XX.XX
                          prefix_len: 32
          - name: envoy_tcp_proxy
            config:
              stat_prefix: tcp_postgres
              cluster: database_service