feat(api): add ClientTrafficPolicy.clientIPDetection.downstreamRemoteAddress for L4-transparent geoip#8956
Open
sboulkour wants to merge 8 commits into
Open
Conversation
Today, SecurityPolicy authorization.rules[].principal.clientIPGeoLocations requires ClientTrafficPolicy.spec.clientIPDetection to be set. This makes GeoIP authorization unreachable in L4-transparent topologies where the downstream TCP peer IS the real client IP (e.g. AWS NLB with target-type=instance + externalTrafficPolicy=Local, Azure Standard LB), because there is no XFF/custom header to trust. Envoy's HTTP geoip filter (envoy.extensions.filters.http.geoip.v3.Geoip) supports three IP-source modes: xff_config, custom_header_config, and "neither set" -- in which case the filter uses "the immediate downstream connection source address" (per the proto). EG already exposes the first two modes; this PR exposes the third. Changes: * internal/gatewayapi/securitypolicy.go: validateAuthorizationGeoIP no longer rejects nil clientIPDetection. The TrustedCIDRs check is kept and guarded. * internal/xds/translator/geoip.go: comment-only update; the existing code already gated xff_config/custom_header_config on a non-nil ClientIPDetection, so no behavioral change is needed there. * Tests: unit + golden coverage for the nil-clientIPDetection case (gatewayapi translator and xDS translator). The xDS golden confirms the geoip filter is emitted with neither xff_config nor custom_header_config, and that no original_ip_detection_extensions are added to the HCM. * Docs and release notes updated. Fixes envoyproxy#8955 Signed-off-by: Salim Boulkour <salim.boulkour@algolia.com>
✅ Deploy Preview for cerulean-figolla-1f9435 ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Per maintainer feedback on envoyproxy#8955, replace the implicit "nil clientIPDetection ⇒ use downstream remote address" behavior introduced in the previous commit with an explicit new field: ClientTrafficPolicy.spec.clientIPDetection.downstreamRemoteAddress. Triggering the new behavior on absence of clientIPDetection was a fail-open footgun: an operator forgetting to set XFF behind a NATing proxy would silently trust the wrong IP for geolocation. The explicit field makes the operator's intent unambiguous. API: * Add DownstreamRemoteAddressSettings (empty struct, room to grow) and the DownstreamRemoteAddress field on ClientIPDetectionSettings. * Update the CEL XValidation rule to enforce mutual exclusion across all three siblings (xForwardedFor, customHeader, downstreamRemoteAddress). Validator: * Restore the rejection of nil clientIPDetection in validateAuthorizationGeoIP. The new mode requires an explicit non-nil ClientIPDetection with DownstreamRemoteAddress set. Translator: * Add an explicit switch arm in buildHCMGeoIPFilter that emits the geoip filter with neither xff_config nor custom_header_config when DownstreamRemoteAddress is set, so Envoy uses its documented default (the immediate downstream connection source address). HCM-side wiring needs no change: useRemoteAddress remains true since no original_ip_detection_extensions are produced. Tests: * Restore the gatewayapi golden testdata for the rejection case (byte-identical to upstream/main). * Add positive gatewayapi + xDS golden coverage for the new mode. * Update CEL validation tests for the new mutual-exclusion message and add positive/negative cases for downstreamRemoteAddress. Docs and release notes updated to describe the explicit field. Signed-off-by: Salim Boulkour <salim.boulkour@algolia.com>
sboulkour
changed the title
…moteAddress field These golden files render the ClientTrafficPolicy CRD inside the helm chart and need to reflect the new downstreamRemoteAddress field plus the updated CEL mutual-exclusion message. Caught by 'make gen-check'. Signed-off-by: Salim Boulkour <salim.boulkour@algolia.com>
Tighten ClientTrafficPolicy.clientIPDetection validation from "at most
one" to "exactly one" of {xForwardedFor, customHeader,
downstreamRemoteAddress}. This rejects an empty object (`{}`) and
aligns behavior with the explicit opt-in requirement for GeoIP source
selection.
Also add a defensive runtime validation in authorization GeoIP
translation so stale resources (or bypassed admission validation) are
rejected unless exactly one mode is configured.
Tests updated:
* gatewayapi unit tests: reject empty and multi-mode clientIPDetection.
* CEL validation tests: updated error message and added empty-object
rejection case.
* regenerated CRD/docs/helm golden outputs for the new CEL rule and
message.
Signed-off-by: Salim Boulkour <salim.boulkour@algolia.com>
Author
|
Follow-up pushed in
|
Author
|
@zhaohuabing could you please enable CI for this first-time contributor PR and review when you have a moment? I updated the PR to the explicit opt-in design with strict one-of clientIPDetection ( Thank you! |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #8956 +/- ##
==========================================
+ Coverage 74.73% 74.75% +0.02%
==========================================
Files 251 251
Lines 40394 40404 +10
==========================================
+ Hits 30188 30205 +17
+ Misses 8138 8132 -6
+ Partials 2068 2067 -1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Author
|
@zhaohuabing thx for the CI run :) About the failed test, seems like the the gateway didn't get an IP within the 3min deadline. |
Author
|
/retest |
zhaohuabing
reviewed
May 11, 2026
zhaohuabing
reviewed
May 11, 2026
Per reviewer feedback, DownstreamRemoteAddress is too Envoy-internal. DirectRemoteAddress better describes the user-facing intent: use the direct TCP peer address as the client IP. Also add breaking change release note entry for the strict one-of CEL validation on clientIPDetection. Signed-off-by: Salim Boulkour <salim.boulkour@algolia.com>
sboulkour
force-pushed
the
geoip-allow-no-clientipdetection
branch
from
bedc422 to
c59c988
Compare
Signed-off-by: Salim Boulkour <salim.boulkour@algolia.com>
Author
|
@zhaohuabing ok pushed required changes. ready for a new CI run :) |
…dress Signed-off-by: Salim Boulkour <salim.boulkour@algolia.com>
zhaohuabing
reviewed
May 13, 2026
The sed-based rename accidentally changed downstreamRemoteAddressWithoutPortCelFormatter in ratelimit.go, which is a rate-limiting internal constant unrelated to the directRemoteAddress GeoIP feature. Revert to original name. Signed-off-by: Salim Boulkour <salim.boulkour@algolia.com>
zhaohuabing
reviewed
May 13, 2026
|
|
||
| # Changes that are expected to cause an incompatibility with previous versions, such as deletions or modifications to existing APIs. | ||
| breaking changes: | | ||
| `ClientTrafficPolicy.spec.clientIPDetection` now requires exactly one of `xForwardedFor`, `customHeader`, or `directRemoteAddress` to be set. Previously an empty `clientIPDetection: {}` was accepted; it is now rejected by CEL validation. |
Member
There was a problem hiding this comment.
This is an API-breaking change, but I think it should be acceptable since an empty clientIPDetection is not meaningful and is unlikely to be used in existing setups. cc @envoyproxy/gateway-maintainers
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
feat
What this PR does / why we need it:
Adds
ClientTrafficPolicy.spec.clientIPDetection.downstreamRemoteAddressas an explicit third client-IP source for GeoIP authorization.When this field is set, Envoy Gateway emits the GeoIP filter without
xff_configand withoutcustom_header_config, so Envoy uses the immediate downstream connection source address.This enables
SecurityPolicy.authorization.rules[].principal.clientIPGeoLocationsin L4-transparent topologies (for example AWS NLBtarget-type: instance+externalTrafficPolicy: Local, Azure Standard Load Balancer).Per maintainer feedback on #8955, behavior is explicit opt-in (new field), not implicit fallback from missing
clientIPDetection.Changes
DownstreamRemoteAddressSettingsandclientIPDetection.downstreamRemoteAddress.xForwardedFor/customHeader/downstreamRemoteAddress) via CELsize() == 1.clientIPDetectionfor GeoIP auth and add a defensive runtime exactly-one check.DownstreamRemoteAddressbranch in GeoIP filter generation.Which issue(s) this PR fixes:
Fixes #8955
Release Notes: Yes