(rbac) add principal matchers for dynamic downstream IPs #37374
Conversation
…ourced downstream IPs Signed-off-by: antoniovleonti <[email protected]>
|
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to |
|
/retest |
| core.v3.CidrRange ip_range = 2; | ||
| } | ||
|
|
||
| message DynamicMetadataIPMatcherConfig { |
There was a problem hiding this comment.
This seems like a fairly specific use case for the general mechanism provided by the existing SourcedMetadata matcher. Instead of adding this special case, can we generalize type.matcher.v3.MetadataMatcher to allow arbitrary plugin matchers, and then define a plugin that matches an IP range?
| @@ -338,6 +338,23 @@ message Principal { | |||
| type.matcher.v3.StringMatcher principal_name = 2; | |||
| } | |||
|
|
|||
| message FilterStateIPMatcherConfig { | |||
There was a problem hiding this comment.
Along similar lines, I think it would be better to add a pluggable matcher to type.matcher.v3.FilterStateMatcher rather than add this as a special case here.
|
/wait |
|
succeeded by #37637 |
Commit Message: (rbac) add principal matchers for dynamic downstream IPs
Additional Description:
This PR adds two matchers to RBAC (filter_state_ip, dynamic_metadata_ip) which compare an IP from filter state / dynamic metadata to a CIDR block. If the IP is not found where specified in configuration, the matcher fails. The IP is assumed to be a downstream IP, so the matchers are principal matchers.
Risk Level: low
Testing: unit tested
Docs Changes: none
Release Notes: changelog updated
Platform Specific Features: none