httpproxy: Add support for ip-based filtering

apis/projectcontour/v1/detailedconditions.go

@@ -144,6 +144,9 @@ const (
 	// ConditionTypeCORSError describes an error condition related to CORS.
 	ConditionTypeCORSError = "CORSError"
 
+	// ConditionTypeIPFilterError describes an error condition related to IP filters.
+	ConditionTypeIPFilterError = "IPFilterError"
+
 	// ConditionTypeJWTVerificationError describes an error condition related to JWT verification.
 	ConditionTypeJWTVerificationError = "JWTVerificationError"
 

apis/projectcontour/v1/httpproxy.go

@@ -295,6 +295,18 @@ type VirtualHost struct {
 	// Providers to use for verifying JSON Web Tokens (JWTs) on the virtual host.
 	// +optional
 	JWTProviders []JWTProvider `json:"jwtProviders,omitempty"`
+
+	// IPAllowFilterPolicy is a list of ipv4/6 filter rules for which matching
+	// requests should be allowed. All other requests will be denied.
+	// Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined.
+	// The rules defined here may be overridden in a Route.
+	IPAllowFilterPolicy []IPFilterPolicy `json:"ipAllowPolicy,omitempty"`
+
+	// IPDenyFilterPolicy is a list of ipv4/6 filter rules for which matching
+	// requests should be denied. All other requests will be allowed.
+	// Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined.
+	// The rules defined here may be overridden in a Route.
+	IPDenyFilterPolicy []IPFilterPolicy `json:"ipDenyPolicy,omitempty"`
 }
 
 // JWTProvider defines how to verify JWTs on requests.
@@ -531,6 +543,18 @@ type Route struct {
 	// The policy for verifying JWTs for requests to this route.
 	// +optional
 	JWTVerificationPolicy *JWTVerificationPolicy `json:"jwtVerificationPolicy,omitempty"`
+
+	// IPAllowFilterPolicy is a list of ipv4/6 filter rules for which matching
+	// requests should be allowed. All other requests will be denied.
+	// Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined.
+	// The rules defined here override any rules set on the root HTTPProxy.
+	IPAllowFilterPolicy []IPFilterPolicy `json:"ipAllowPolicy,omitempty"`
+
+	// IPDenyFilterPolicy is a list of ipv4/6 filter rules for which matching
+	// requests should be denied. All other requests will be allowed.
+	// Only one of IPAllowFilterPolicy and IPDenyFilterPolicy can be defined.
+	// The rules defined here override any rules set on the root HTTPProxy.
+	IPDenyFilterPolicy []IPFilterPolicy `json:"ipDenyPolicy,omitempty"`
 }
 
 type JWTVerificationPolicy struct {
@@ -550,6 +574,29 @@ type JWTVerificationPolicy struct {
 	Disabled bool `json:"disabled,omitempty"`
 }
 
+// IPFilterSource indicates which IP should be considered for filtering
+// +kubebuilder:validation:Enum=Peer;Remote
+type IPFilterSource string
+
+const (
+	IPFilterSourcePeer   IPFilterSource = "Peer"
+	IPFilterSourceRemote IPFilterSource = "Remote"
+)
+
+type IPFilterPolicy struct {
+	// Source indicates how to determine the ip address to filter on, and can be
+	// one of two values:
+	//  - `Remote` filters on the ip address of the client, accounting for PROXY and
+	//    X-Forwarded-For as needed.
+	//  - `Peer` filters on the ip of the network request, ignoring PROXY and
+	//    X-Forwarded-For.
+	Source IPFilterSource `json:"source"`
+
+	// CIDR is a CIDR block of ipv4 or ipv6 addresses to filter on. This can also be
+	// a bare IP address (without a mask) to filter on exactly one address.
+	CIDR string `json:"cidr"`
+}
+
 type HTTPDirectResponsePolicy struct {
 	// StatusCode is the HTTP response status to be returned.
 	// +required

changelogs/unreleased/5008-ecordell-major.md

@@ -0,0 +1,13 @@
+## IP Filter Support 
+
+Contour's HTTPProxy now supports configuring Envoy's [RBAC filter](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/rbac/v3/rbac.proto) for allowing or denying requests by IP.
+
+An HTTPProxy can optionally include one or more IP filter rules, which define CIDR ranges to allow or deny requests based on origin IP.
+Filters can indicate whether the direct IP should be used or whether a reported IP from `PROXY` or `X-Forwarded-For` should be used instead.
+If the latter, Contour's `numTrustedHops` setting will be respected when determining the source IP.
+Filters defined at the VirtualHost level apply to all routes, unless overridden by a route-specific filter.
+
+For more information, see:
+- [HTTPProxy API documentation](https://projectcontour.io/docs/main/config/api/#projectcontour.io/v1.HTTPProxy)
+- [IPFilterPolicy API documentation](https://projectcontour.io/docs/main/config/api/#projectcontour.io/v1.IPFilterPolicy)
+- [Envoy RBAC filter documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/rbac/v3/rbac.proto)

examples/contour/01-crds.yaml

@@ -4903,6 +4903,64 @@ spec:
                             type: integer
                           type: array
                       type: object
+                    ipAllowPolicy:
+                      description: IPAllowFilterPolicy is a list of ipv4/6 filter
+                        rules for which matching requests should be allowed. All other
+                        requests will be denied. Only one of IPAllowFilterPolicy and
+                        IPDenyFilterPolicy can be defined. The rules defined here
+                        override any rules set on the root HTTPProxy.
+                      items:
+                        properties:
+                          cidr:
+                            description: CIDR is a CIDR block of ipv4 or ipv6 addresses
+                              to filter on. This can also be a bare IP address (without
+                              a mask) to filter on exactly one address.
+                            type: string
+                          source:
+                            description: 'Source indicates how to determine the ip
+                              address to filter on, and can be one of two values:
+                              - `Remote` filters on the ip address of the client,
+                              accounting for PROXY and X-Forwarded-For as needed.
+                              - `Peer` filters on the ip of the network request, ignoring
+                              PROXY and X-Forwarded-For.'
+                            enum:
+                            - Peer
+                            - Remote
+                            type: string
+                        required:
+                        - cidr
+                        - source
+                        type: object
+                      type: array
+                    ipDenyPolicy:
+                      description: IPDenyFilterPolicy is a list of ipv4/6 filter rules
+                        for which matching requests should be denied. All other requests
+                        will be allowed. Only one of IPAllowFilterPolicy and IPDenyFilterPolicy
+                        can be defined. The rules defined here override any rules
+                        set on the root HTTPProxy.
+                      items:
+                        properties:
+                          cidr:
+                            description: CIDR is a CIDR block of ipv4 or ipv6 addresses
+                              to filter on. This can also be a bare IP address (without
+                              a mask) to filter on exactly one address.
+                            type: string
+                          source:
+                            description: 'Source indicates how to determine the ip
+                              address to filter on, and can be one of two values:
+                              - `Remote` filters on the ip address of the client,
+                              accounting for PROXY and X-Forwarded-For as needed.
+                              - `Peer` filters on the ip of the network request, ignoring
+                              PROXY and X-Forwarded-For.'
+                            enum:
+                            - Peer
+                            - Remote
+                            type: string
+                        required:
+                        - cidr
+                        - source
+                        type: object
+                      type: array
                     jwtVerificationPolicy:
                       description: The policy for verifying JWTs for requests to this
                         route.
@@ -6207,6 +6265,62 @@ spec:
                       to the fqdn.
                     pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                     type: string
+                  ipAllowPolicy:
+                    description: IPAllowFilterPolicy is a list of ipv4/6 filter rules
+                      for which matching requests should be allowed. All other requests
+                      will be denied. Only one of IPAllowFilterPolicy and IPDenyFilterPolicy
+                      can be defined. The rules defined here may be overridden in
+                      a Route.
+                    items:
+                      properties:
+                        cidr:
+                          description: CIDR is a CIDR block of ipv4 or ipv6 addresses
+                            to filter on. This can also be a bare IP address (without
+                            a mask) to filter on exactly one address.
+                          type: string
+                        source:
+                          description: 'Source indicates how to determine the ip address
+                            to filter on, and can be one of two values: - `Remote`
+                            filters on the ip address of the client, accounting for
+                            PROXY and X-Forwarded-For as needed. - `Peer` filters
+                            on the ip of the network request, ignoring PROXY and X-Forwarded-For.'
+                          enum:
+                          - Peer
+                          - Remote
+                          type: string
+                      required:
+                      - cidr
+                      - source
+                      type: object
+                    type: array
+                  ipDenyPolicy:
+                    description: IPDenyFilterPolicy is a list of ipv4/6 filter rules
+                      for which matching requests should be denied. All other requests
+                      will be allowed. Only one of IPAllowFilterPolicy and IPDenyFilterPolicy
+                      can be defined. The rules defined here may be overridden in
+                      a Route.
+                    items:
+                      properties:
+                        cidr:
+                          description: CIDR is a CIDR block of ipv4 or ipv6 addresses
+                            to filter on. This can also be a bare IP address (without
+                            a mask) to filter on exactly one address.
+                          type: string
+                        source:
+                          description: 'Source indicates how to determine the ip address
+                            to filter on, and can be one of two values: - `Remote`
+                            filters on the ip address of the client, accounting for
+                            PROXY and X-Forwarded-For as needed. - `Peer` filters
+                            on the ip of the network request, ignoring PROXY and X-Forwarded-For.'
+                          enum:
+                          - Peer
+                          - Remote
+                          type: string
+                      required:
+                      - cidr
+                      - source
+                      type: object
+                    type: array
                   jwtProviders:
                     description: Providers to use for verifying JSON Web Tokens (JWTs)
                       on the virtual host.