From 41d86534a44986407753a68557ef47fbdd8f193e Mon Sep 17 00:00:00 2001 From: Rudrakh Panigrahi Date: Fri, 25 Oct 2024 12:00:49 +0530 Subject: [PATCH] support setting trusted CIDRs Signed-off-by: Rudrakh Panigrahi --- api/v1alpha1/clienttrafficpolicy_types.go | 16 +++- api/v1alpha1/zz_generated.deepcopy.go | 5 ++ ...y.envoyproxy.io_clienttrafficpolicies.yaml | 18 +++- release-notes/current.yaml | 2 +- site/content/en/latest/api/extension_types.md | 4 +- site/content/zh/latest/api/extension_types.md | 4 +- .../clienttrafficpolicy_test.go | 85 +++++++++++++++++++ 7 files changed, 127 insertions(+), 7 deletions(-) diff --git a/api/v1alpha1/clienttrafficpolicy_types.go b/api/v1alpha1/clienttrafficpolicy_types.go index 63b2c91fb2e..8673a24001a 100644 --- a/api/v1alpha1/clienttrafficpolicy_types.go +++ b/api/v1alpha1/clienttrafficpolicy_types.go @@ -237,14 +237,26 @@ type ClientIPDetectionSettings struct { } // XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address. +// Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for +// for more details. +// +kubebuilder:validation:XValidation:rule="(has(self.numTrustedHops) && !has(self.trustedCIDRs)) || (!has(self.numTrustedHops) && has(self.trustedCIDRs))", message="only one of numTrustedHops or trustedCIDRs must be set" type XForwardedForSettings struct { // NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP // headers to trust when determining the origin client's IP address. - // Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for - // for more details. + // Only one of NumTrustedHops and TrustedCIDRs must be set. // // +optional NumTrustedHops *uint32 `json:"numTrustedHops,omitempty"` + + // TrustedCIDRs is a list of trusted IPv4 CIDRs to trust when + // evaluating the remote IP address to determine the original client's IP address. + // Only one of NumTrustedHops and TrustedCIDRs must be set. + // + // +optional + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:items:Pattern=`^((25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){3}(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])/(3[0-2]|[12]?[0-9])$` + // +notImplementedHide + TrustedCIDRs []string `json:"trustedCIDRs,omitempty"` } // CustomHeaderExtensionSettings provides configuration for determining the client IP address for a request based on diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 321a143df9c..4d7c367d763 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -5579,6 +5579,11 @@ func (in *XForwardedForSettings) DeepCopyInto(out *XForwardedForSettings) { *out = new(uint32) **out = **in } + if in.TrustedCIDRs != nil { + in, out := &in.TrustedCIDRs, &out.TrustedCIDRs + *out = make([]string, len(*in)) + copy(*out, *in) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new XForwardedForSettings. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml index 3e626f3f88a..aa7ab4e3f2b 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml @@ -85,11 +85,25 @@ spec: description: |- NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP headers to trust when determining the origin client's IP address. - Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for - for more details. + Only one of NumTrustedHops and TrustedCIDRs must be set. format: int32 type: integer + trustedCIDRs: + description: |- + TrustedCIDRs is a list of trusted IPv4 CIDRs to trust when + evaluating the remote IP address to determine the original client's IP address. + Only one of NumTrustedHops and TrustedCIDRs must be set. + items: + pattern: ^((25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){3}(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])/(3[0-2]|[12]?[0-9])$ + type: string + minItems: 1 + type: array type: object + x-kubernetes-validations: + - message: only one of numTrustedHops or trustedCIDRs must be + set + rule: (has(self.numTrustedHops) && !has(self.trustedCIDRs)) + || (!has(self.numTrustedHops) && has(self.trustedCIDRs)) type: object x-kubernetes-validations: - message: customHeader cannot be used in conjunction with xForwardedFor diff --git a/release-notes/current.yaml b/release-notes/current.yaml index bfc711148bd..39e8a900c47 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -10,7 +10,7 @@ security updates: | # New features or capabilities added in this release. new features: | - Add a new feature here + - Added support for trusted CIDRs in the ClientIPDetectionSettings API # Fixes for bugs identified in previous versions. bug fixes: | diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 2999d46410c..abd0d1c2a64 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -4267,13 +4267,15 @@ _Appears in:_ XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address. +Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for +for more details. _Appears in:_ - [ClientIPDetectionSettings](#clientipdetectionsettings) | Field | Type | Required | Description | | --- | --- | --- | --- | -| `numTrustedHops` | _integer_ | false | NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
headers to trust when determining the origin client's IP address.
Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
for more details. | +| `numTrustedHops` | _integer_ | false | NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
headers to trust when determining the origin client's IP address.
Only one of NumTrustedHops and TrustedCIDRs must be set. | #### ZipkinTracingProvider diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 2999d46410c..abd0d1c2a64 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -4267,13 +4267,15 @@ _Appears in:_ XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address. +Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for +for more details. _Appears in:_ - [ClientIPDetectionSettings](#clientipdetectionsettings) | Field | Type | Required | Description | | --- | --- | --- | --- | -| `numTrustedHops` | _integer_ | false | NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
headers to trust when determining the origin client's IP address.
Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
for more details. | +| `numTrustedHops` | _integer_ | false | NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
headers to trust when determining the origin client's IP address.
Only one of NumTrustedHops and TrustedCIDRs must be set. | #### ZipkinTracingProvider diff --git a/test/cel-validation/clienttrafficpolicy_test.go b/test/cel-validation/clienttrafficpolicy_test.go index 3558d1848f9..d73eb5a2116 100644 --- a/test/cel-validation/clienttrafficpolicy_test.go +++ b/test/cel-validation/clienttrafficpolicy_test.go @@ -221,6 +221,91 @@ func TestClientTrafficPolicyTarget(t *testing.T) { "spec.clientIPDetection: Invalid value: \"object\": customHeader cannot be used in conjunction with xForwardedFor", }, }, + { + desc: "clientIPDetection numTrustedHops and trustedCIDRs", + mutate: func(ctp *egv1a1.ClientTrafficPolicy) { + ctp.Spec = egv1a1.ClientTrafficPolicySpec{ + PolicyTargetReferences: egv1a1.PolicyTargetReferences{ + TargetRef: &gwapiv1a2.LocalPolicyTargetReferenceWithSectionName{ + LocalPolicyTargetReference: gwapiv1a2.LocalPolicyTargetReference{ + Group: gwapiv1a2.Group("gateway.networking.k8s.io"), + Kind: gwapiv1a2.Kind("Gateway"), + Name: gwapiv1a2.ObjectName("eg"), + }, + }, + }, + ClientIPDetection: &egv1a1.ClientIPDetectionSettings{ + XForwardedFor: &egv1a1.XForwardedForSettings{ + NumTrustedHops: ptr.To(uint32(1)), + TrustedCIDRs: []string{ + "192.168.1.0/24", + "10.0.0.0/16", + "172.16.0.0/12", + }, + }, + }, + } + }, + wantErrors: []string{ + "spec.xForwardedFor: Invalid value: \"object\": only one of numTrustedHops or trustedCIDRs must be set", + }, + }, + { + desc: "clientIPDetection invalid trustedCIDRs", + mutate: func(ctp *egv1a1.ClientTrafficPolicy) { + ctp.Spec = egv1a1.ClientTrafficPolicySpec{ + PolicyTargetReferences: egv1a1.PolicyTargetReferences{ + TargetRef: &gwapiv1a2.LocalPolicyTargetReferenceWithSectionName{ + LocalPolicyTargetReference: gwapiv1a2.LocalPolicyTargetReference{ + Group: gwapiv1a2.Group("gateway.networking.k8s.io"), + Kind: gwapiv1a2.Kind("Gateway"), + Name: gwapiv1a2.ObjectName("eg"), + }, + }, + }, + ClientIPDetection: &egv1a1.ClientIPDetectionSettings{ + XForwardedFor: &egv1a1.XForwardedForSettings{ + TrustedCIDRs: []string{ + "192.0124.1.0/24", + "10.0.0.0/1645", + "17212.16.0.0/123", + }, + }, + }, + } + }, + wantErrors: []string{ + "spec.clientIPDetection.xForwardedFor.trustedCIDRs[0]: Invalid value: \"192.0124.1.0/24\": spec.clientIPDetection.xForwardedFor.trustedCIDRs[0] in body should match '^((25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\\.){3}(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])/(3[0-2]|[12]?[0-9])$'", + "spec.clientIPDetection.xForwardedFor.trustedCIDRs[1]: Invalid value: \"10.0.0.0/1645\": spec.clientIPDetection.xForwardedFor.trustedCIDRs[1] in body should match '^((25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\\.){3}(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])/(3[0-2]|[12]?[0-9])$'", + "spec.clientIPDetection.xForwardedFor.trustedCIDRs[2]: Invalid value: \"17212.16.0.0/123\": spec.clientIPDetection.xForwardedFor.trustedCIDRs[2] in body should match '^((25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\\.){3}(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])/(3[0-2]|[12]?[0-9])$'", + }, + }, + { + desc: "clientIPDetection valid trustedCIDRs", + mutate: func(ctp *egv1a1.ClientTrafficPolicy) { + ctp.Spec = egv1a1.ClientTrafficPolicySpec{ + PolicyTargetReferences: egv1a1.PolicyTargetReferences{ + TargetRef: &gwapiv1a2.LocalPolicyTargetReferenceWithSectionName{ + LocalPolicyTargetReference: gwapiv1a2.LocalPolicyTargetReference{ + Group: gwapiv1a2.Group("gateway.networking.k8s.io"), + Kind: gwapiv1a2.Kind("Gateway"), + Name: gwapiv1a2.ObjectName("eg"), + }, + }, + }, + ClientIPDetection: &egv1a1.ClientIPDetectionSettings{ + XForwardedFor: &egv1a1.XForwardedForSettings{ + TrustedCIDRs: []string{ + "192.168.1.0/24", + "10.0.0.0/16", + "172.16.0.0/12", + }, + }, + }, + } + }, + wantErrors: []string{}, + }, { desc: "http3 enabled and ALPN protocols not set with other TLS parameters set", mutate: func(ctp *egv1a1.ClientTrafficPolicy) {