Reputation: 268
Allow IPs with TCP Listener using RBAC (Envoy)
I am trying to achieve the following with Envoy:
- Allow TCP traffic to a Postgres service with RBAC rules to allow only a few IPs.
This is my listener setup.
- name: listener_postgres
address:
socket_address:
protocol: TCP
address: 0.0.0.0
port_value: 54322
filter_chains:
filters:
- name: envoy.filters.network.rbac
config:
stat_prefix: rbac_postgres
rules:
action: ALLOW
policies:
"allow":
permissions:
- any: true
principals:
- source_ip:
address_prefix: XX.XX.XX.XX
prefix_len: 32
- source_ip:
address_prefix: XX.XX.XX.XX
prefix_len: 32
- source_ip:
address_prefix: XX.XX.XX.XX
prefix_len: 32
- name: envoy.tcp_proxy
config:
stat_prefix: tcp_postgres
cluster: database_service
I can confirm that the service is setup correctly because I can remove the RBAC rules and I can connect successfully.
When the RBAC rules are added I can not connect to the Postgres database.
But for some reason nothing seems to work, I have also tried remote_ip and direct_remote_ip in place of source_ip.
Am I doing something wrong?
Thanks
Upvotes: 0
Views: 1106
Answers (3)
Reputation: 1
in my case, it works like this
- name: listener_postgres
address:
socket_address:
protocol: TCP
address: 0.0.0.0
port_value: 54322
filter_chains:
filters:
- name: envoy.filters.network.rbac
typed_config: # add this line
"@type": type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC # add this line
stat_prefix: rbac_postgres
rules:
action: ALLOW
policies:
"allow":
permissions:
- any: true
principals:
- remote_ip: # change source to remote
address_prefix: XX.XX.XX.XX
prefix_len: 24
- remote_ip:
address_prefix: XX.XX.XX.XX
prefix_len: 32
- remote_ip:
address_prefix: XX.XX.XX.XX
prefix_len: 32
Upvotes: 0
Reputation: 268
It seems that setting the attribute to 'remote_ip' as suggested by Rahul Pratap worked.
Here is a working example:
- name: listener_postgres
address:
socket_address:
protocol: TCP
address: 0.0.0.0
port_value: 54322
filter_chains:
filters:
- name: envoy.filters.network.rbac
config:
stat_prefix: rbac_postgres
rules:
action: ALLOW
policies:
"allow":
permissions:
- any: true
principals:
- remote_ip:
address_prefix: XX.XX.XX.XX
prefix_len: 32
- name: envoy.tcp_proxy
config:
stat_prefix: tcp_postgres
cluster: database_service
Upvotes: 0
Reputation: 16
Hey I ran into the same issue and this is the configuration worked for me.
I used remote_ip attribute.
Also, check the updated filters names
- name: listener_postgres
address:
socket_address:
protocol: TCP
address: 0.0.0.0
port_value: 54322
filter_chains:
filters:
- name: envoy_rbac
config:
stat_prefix: rbac_postgres
rules:
action: ALLOW
policies:
"allow":
permissions:
- any: true
principals:
- remote_ip:
address_prefix: XX.XX.XX.XX
prefix_len: 32
- name: envoy_tcp_proxy
config:
stat_prefix: tcp_postgres
cluster: database_service
Upvotes: 0
Related Questions
- How to configure PostgreSQL to accept all incoming connections
- Envoy multiple ports per listener
- Simple gRPC envoy configuration
- PostgreSQL gives me "connection refused" even if "listen_addresses = '*'"
- How to add external authorization for tcp_proxy filter?
- Even with listen_addresses ='*' in postgres, remote login is not working
- Using LISTEN / NOTIFY in psql clients
- PostgreSQL NOTIFY queue empty after LISTEN
- How to use Ambassador api gateway as a PostgreSQL-aware proxy?
- Using RBAC Network Filter to block ingress or egress to/from service in Envoy Proxy