Support Allow/Deny IP Subnets

[arkodg]

Description:

Describe the desired behavior, what scenario it enables and how it
would be used.

As a user, I would like to limit the client IP address to a few subnets for some cases as well as also deny specific subnets

[arkodg]

Envoy supports this https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/rbac/v3/rbac.proto#envoy-v3-api-msg-config-rbac-v3-principal

does this feature belong in ClientTrafficPolicy or SecurityPolicy ?

[tmsnan]

Vote for SecurityPolicy, access control is reasonable as a security policy.

[arkodg]

if the SecurityPolicy with ip subnet info is applied at the Gateway level, it can be overridden at the route level if another SecurityPolicy is applied at route level

[tmsnan]

Is it possible to add a disclaimer stating that the use of routing override is not recommended?

[zhaohuabing]

Should RBAC #2250 be the right home for this?

[zhaohuabing]

https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/rbac/v3/rbac.proto#envoy-v3-api-msg-config-rbac-v3-principal

if the SecurityPolicy with ip subnet info is applied at the Gateway level, it can be overridden at the route level if another SecurityPolicy is applied at route level

I didn't get it. A route level SecurityPolicy without Allow/Deny IP setting won't override the Allow/Deny IP setting in Gateway level. "Allow/Deny IP Subnets" should be only configured at the gateway level?

gateway/internal/gatewayapi/securitypolicy.go

Lines 359 to 374 in 95f4c10

	for _, http := range ir.HTTP {
	for _, r := range http.Routes {
	// Apply if not already set
	if r.CORS == nil {
	r.CORS = cors
	}
	if r.JWT == nil {
	r.JWT = jwt
	}
	if r.OIDC == nil {
	r.OIDC = oidc
	}
	if r.BasicAuth == nil {
	r.BasicAuth = basicAuth
	}
	}

[zetaab]

well at least I have use case that same gateway should be apple to serve clients from the internet, but some routes need to have allow/deny ip setting.