CFP: propagate gateway annotation for source-range/dual-stack to the load-balancer managed by the gateway

[christiancadieux]

Cilium Feature Proposal

Thanks for taking time to make a feature proposal for Cilium! If you have usage questions, please try the slack channel and see the FAQ first.

Is your proposed feature related to a problem?
need source-range in the load-balancer service controlled by a gateway resource.

If so, please describe the problem
the gateway operator controls the load-balancer service. need the ability to enter the source-range information in the gateway resource as annotation and have this annotation propagated .
I know there is or will be a new 'infrastructure' field in the gateway, but it's experimentation at this point and does not currently propagate - and I could not find 'infrastructure' in the Gateway CDR.
There is also the old service annotation syntax 'service.beta.kubernetes.io/load-balancer-source-ranges' , but that does not work either.

Important for the Following Reasons

This feature is important because there are multiple cases where networkPolicies cannot correctly restrict ingress access from external client, where client CIDRs are involved:

• When services are configured as 'externalTrafficPolicy: Cluster' (and DSR is not used), the pods lose the sourceIP of the client and the networkPolicies do not work (traffic is not consistently seen as coming from the real client IP - as explained in the cilium doc)
• When a Gateway (or Ingress) is involved, then networkPolicies (on the pods behind the gateway) do not see the client SourceIP, they only see the address of the envoy proxy (categorized by cilium as 'ingress'). Also ineffective for securing ingress.
• Any other configuration where there are multiple hops inside the namespace - for example if a nginx-ingress-controller is involved, then also, the client sourceIP is not seen by the pods and the networkPolicies using fromCIDR do not work.

Not sure that this issue and these reasons apply to all the cilium configrations . But it does at least apply to this configuration ( kubeProxyReplacement:True, bpf-lb-mode:dsr, routing-mode: tunnel, tunnel-protocol: geneve)

Restricting external access to the services (type=LoadBalancer) using loadBalancerSourceRanges seems like a good approach. A more complete and consistent Cilium solution would involve allowing ciliumCidrGroups in loadBalancerSourceRanges - but that is more difficult to implement since it requires changes to the Service spec and a watch on all the ciliumCidrGroups.

Describe the feature you'd like
an annotation with a specific name is added to the gateway.
this annotation is propagated to the load-balancer service controlled by the gateway and translated into spec.LoadBalancerSourceRanges

see fork - main...christiancadieux:cilium-tsf:main for working example using annotation 'service.kubernetes.io/lb-source-ranges' .

gateway:

kind: Gateway
metadata:
  annotations:
   service.kubernetes.io/lb-source-ranges: 1.1.1.1/32,1.1.1.2/32,1.1.1.3/32
   service.kubernetes.io/lb-family-policy: PreferDualStack 

becomes the following in the load-balancer controlled by the gateway:

spec:
  loadBalancerSourceRanges:
   - 1.1.1.1/32
   - 1.1.1.2/32
   - 1.1.1.3/32

(Optional) Describe your proposed solution
pass annotation to service - translate cidrs into LoadBalancerSourceRanges list.

Please complete this section if you have ideas / suggestions on how to implement the feature. We strongly recommend discussing your approach with Cilium committers before spending lots of time implementing a change.

For longer proposals, you are welcome to link to an external doc (e.g. a Google doc). We have a Cilium Feature Proposal template to help you structure your proposal - if you would like to use it, please make a copy and ensure it's publicly visible, and then add the link here.

Once the CFP is close to being finalized, please add it as a PR to the design-cfps repo for final approval.