restrict-ip-access for tcproutes

[davem-git]

https://gateway.envoyproxy.io/docs/tasks/security/restrict-ip-access/
I see this shows TCP routes aren't supported in the restrict-ip-access. is this because there isn't enough information at the TCP layer for the access list to work?

i see you can attach it to gateways, but I don't see any examples. I've tried following the kubectl explain but its not very clear

for gateway it has listener name, if you have multiple gateways its possible you could have the same listener name across it, I don't see how it would know which to use. I read listener as the listener within a gateway, not the gateway name it self, since a gateway could have multiple listeners.

sectionName
SectionName is the name of a section within the target resource. When
unspecified, this targetRef targets the entire resource. In the following
resources, SectionName is interpreted as the following:

* Gateway: Listener name
* HTTPRoute: HTTPRouteRule name
* Service: Port name

If a SectionName is specified, but does not exist on the targeted object,
the Policy must fail to attach, and the policy implementation should record
a `ResolvedRefs` or similar Condition in the Policy's status.

[davem-git]

after reviewing the default logs, and setting externalTrafficPolicy back to local, I can see the source IP, it appears to be in downstream_remote_address":"<redacted_public_address:51822"

{"start_time":"2024-12-11T23:59:57.831Z","method":"-","x-envoy-origin-path":"-","protocol":"-","response_code":"0","response_flags":"-","response_code_details":"-","connection_termination_details":"-","upstream_transport_failure_reason":"-","bytes_received":"781","bytes_sent":"2235","duration":"353","x-envoy-upstream-service-time":"-","x-forwarded-for":"-","user-agent":"-","x-request-id":"-",":authority":"-","upstream_host":"10.101.67.104:5432","upstream_cluster":"tcproute/default/pgo-tools-dre/rule/-1","upstream_local_address":"10.101.68.80:36306","downstream_local_address":"10.101.68.80:32000","downstream_remote_address":"<redacted_public_address:51822","requested_server_name":"-","route_name":"-"}

My question is if we can't use Security Policies on TCP Route, but it says we can use gateways, I don't see any examples of using the policy on a gateway, Can someone link any examples? I also see section name, which makes it sound like I can target a listener, but that errors as not supported when I go to apply

Here's what I'm trying

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: pgo-authorization-client-ip
  namespace: envoy-gateway-system
spec:
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: pgo-gateway-2
  authorization:
    defaultAction: Deny
    rules:
    - action: Allow
      principal:
        clientCIDRs:
        - <public_address>

[arkodg]

can you raise a GH issue for this ?
internally a HTTP RBAC Filter is used, to enable this we'll need to use https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/network_filters/rbac_filter# when the listener is a TCP listener (tcp_proxy)

[davem-git]

SecurityPolicy Support for TCPRoute was added in v1.6.0