Does the Envoy plugin support policies for non-HTTP protocols such as TCP?

[arthur-drozdov]

If this possible, I was wondering how I'm able to configure this for the Quick Start example?

Many thanks in advance

[srenatus]

https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/filter/network/ext_authz/v2/ext_authz.proto I have yet to try it, but this makes me think it should be using the same ext_authz API. What do you see if configuring envoy to call the plugin for network filters...?

[arthur-drozdov]

I'm getting the following error message with quick_start.yaml.txt

 error initializing configuration '/config/envoy.yaml': Unable to parse JSON as proto (INVALID_ARGUMENT:(static_resources.listeners[0].filter_chains[0].filters[0].typed_config): invalid value Invalid type URL, unknown type: envoy.config.filter.network.ext_authz.v2 for type Any)

I think it might be a version/url error but I'm not sure if my envoy config is correct

[srenatus]

✔️ Yes.

Concretely, I've changed the ext auth service to be used as a network filter, instead of as a http filter in the gRPC example we've got in opa-envoy-plugin:

diff --git a/examples/grpc/envoy.yaml b/examples/grpc/envoy.yaml
index f9a65289..f776a767 100644
--- a/examples/grpc/envoy.yaml
+++ b/examples/grpc/envoy.yaml
@@ -10,6 +10,14 @@ static_resources:
       socket_address: { address: 0.0.0.0, port_value: 51051 }
     filter_chains:
     - filters:
+      - name: envoy.network_ext_authz
+        typed_config:
+          "@type": type.googleapis.com/envoy.extensions.filters.network.ext_authz.v3.ExtAuthz
+          stat_prefix: network_ext_authz
+          transport_api_version: V3
+          grpc_service:
+            envoy_grpc:
+              cluster_name: opa-envoy
       - name: envoy.filters.network.http_connection_manager
         typed_config:
           "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
@@ -24,18 +32,6 @@ static_resources:
               - match: { prefix: "/" }
                 route: { cluster: testsrv, timeout: { seconds: 60 } }
           http_filters:
-          - name: envoy.ext_authz
-            typed_config:
-              '@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
-              transport_api_version: V3
-              failure_mode_allow: false
-              grpc_service:
-                envoy_grpc:
-                  cluster_name: opa-envoy
-              with_request_body:
-                allow_partial_message: true
-                max_request_bytes: 1024
-                pack_as_bytes: true
           - name: envoy.filters.http.router
 
   clusters:

Running docker compose up with that, and grpcurl -plaintext -protoset testsrv.pb 127.0.0.1:51051 test.KitchenSink/Ping in another terminal, we find the logs

grpc_opa-envoy_1 | {"decision_id":"18989029-cfe7-4789-87a8-25106ea8a250","input":{"attributes":{"destination":{"address":{"socketAddress":{"address":"172.19.0.3","portValue":51051}}},"source":{"address":{"socketAddress":{"address":"172.19.0.1","portValue":62650}}}},"parsed_body":null,"parsed_path":[""],"parsed_query":{},"truncated_body":false,"version":{"encoding":"protojson","ext_authz":"v3"}},"labels":{"id":"a4532edf-f860-43a0-a171-89ac580f04cc","version":"0.26.0-envoy"},"level":"info","metrics":{"timer_rego_query_eval_ns":70300,"timer_server_handler_ns":301700},"msg":"Decision Log","path":"envoy/authz/allow","requested_by":"","result":false,"time":"2021-01-25T07:45:00Z","timestamp":"2021-01-25T07:45:00.002589Z","type":"openpolicyagent.org/decision_logs"}

☝️ This makes sense because I haven't adjusted the policy.rego of the example. It serves as an example of the (limited) input you get in a network filter setting.

[arthur-drozdov]

Thank you! I'm trying to adapt the Quick Start example with this, but I haven't quite managed. I'm trying to do it on Kubernetes (instead of docker-compose), so I will try again later maybe with the Istio example.

My issue was the following in the envoy proxy logs:

chown: changing ownership of '/dev/stdout': Operation not permitted                                                                                                       
chown: changing ownership of '/dev/stderr': Operation not permitted 

I tried using the ENVOY_UID environment variable for the envoy container but that broke the opa-envoy container

[srenatus]

Please refer to envoy's support with this... they've got an active slack channel, too.

[srenatus]

@DR0ZZA Envoy 1.17.0, by any chance? I just ran into the same issue, having had used envoy 1.16 before (without issues). Ignore that, I was wrong. 😅

[srenatus]

@DR0ZZA Are you following the envoy tutorial from the docs page? I'm updating that as I write this, for #3101, and I'm facing the same problem. I'll let you know how it's resolved when I get there.

[srenatus]

@DR0ZZA I'm still on it, but I think this might be promising: https://gist.github.com/srenatus/fe899c6b12f36c3e04df92fe394184e2#file-deployment-yaml-L37-L49 note that securityContext.runAsUser is removed, and the env var is added. Opening a shell inside the running container reveals that the uid of the envoy user (running envoy) ends up as 1111 that way ✔️

[srenatus]

I'll close this one. Please re-open, or add a new issue if this hasn't been resolved for you.