Expose Envoy's network rbac filter configuration in contour

[jmboby]

I'd like to be able to use envoy to do things such as tcp ip whitelisting. I believe this is possible with envoy's network rbac filter: https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/network_filters/rbac_filter

Describe the solution you'd like
Expose envoy's network rbac filter configuration in Contour, .....via configmaps would be best.

[jpeach]

Similar underlying use cases as #2888

[stevesloka]

// cc #66

[stevesloka]

We need to come up with an idea around how to expose this in a Configmap (or should this be in a CRD?).

Exposing the Envoy config style would be the simplest (https://www.envoyproxy.io/docs/envoy/v1.16.0/api-v3/config/rbac/v3/rbac.proto#role-based-access-control-rbac), but not the easiest to manage within a configmap.

[youngnick]

This change is certainly big enough to require a design document laying out:

• what we're adding (ie are we adding only allowlist support, or are we exposing the full RBAC featureset)
• Why are we adding it? (What use cases are we solving? Just the network access control, or are we allowing more stuff than that. Envoy's full RBAC is also used for service-mesh things with identity, which we don't currently do. Should we be adding that as part of this?)
• How will we add it? A CRD? A ConfigMap? This seems closely connected to the scope - if we are only adding allowlisting, then that's very different to if we're exposing the full scope of the RBAC filter.

[youngnick]

Ambassador has added similar functionality with a neat design: https://www.getambassador.io/docs/edge-stack/latest/topics/running/ambassador/#ip-allow-and-deny

[pratiklotia]

Checking in - I am a contour user and I would like to push for this change. Is there anyway in which I can contribute with anything?

[skriss]

@pratiklotia have you looked at https://projectcontour.io/docs/1.25/config/ip-filtering/? This uses the HTTP RBAC filter.

[pratiklotia]

@skriss Thank you Steve.

[github-actions]

The Contour project currently lacks enough contributors to adequately respond to all Issues.

This bot triages Issues according to the following rules:

• After 60d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, the Issue is closed

You can:

• Mark this Issue as fresh by commenting
• Close this Issue
• Offer to help out with triage

Please send feedback to the #contour channel in the Kubernetes Slack

[github-actions]

The Contour project currently lacks enough contributors to adequately respond to all Issues.

This bot triages Issues according to the following rules:

• After 60d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, the Issue is closed

You can:

• Mark this Issue as fresh by commenting
• Close this Issue
• Offer to help out with triage

Please send feedback to the #contour channel in the Kubernetes Slack