api: add sourceCIDRs field in SecurityPolicy for L4 IP filtering#8009
Merged
rudrakhp merged 4 commits intoenvoyproxy:mainfrom Jan 25, 2026
Merged
api: add sourceCIDRs field in SecurityPolicy for L4 IP filtering#8009rudrakhp merged 4 commits intoenvoyproxy:mainfrom
rudrakhp merged 4 commits intoenvoyproxy:mainfrom
Conversation
✅ Deploy Preview for cerulean-figolla-1f9435 canceled.
|
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
zhaohuabing
force-pushed
the
api-l4-ip-filtering
branch
from
6736fa5 to
9d3b2c9
Compare
zirain
previously approved these changes
Jan 22, 2026
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #8009 +/- ##
==========================================
- Coverage 73.69% 73.67% -0.02%
==========================================
Files 237 237
Lines 35653 35653
==========================================
- Hits 26274 26269 -5
- Misses 7520 7524 +4
- Partials 1859 1860 +1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
zirain
approved these changes
Jan 22, 2026
cnvergence
approved these changes
Jan 22, 2026
rudrakhp
approved these changes
Jan 25, 2026
SadmiB
pushed a commit
to SadmiB/gateway
that referenced
this pull request
Jan 30, 2026
…oyproxy#8009) * API for L4 IP filtering Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * fix test Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> --------- Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> Co-authored-by: Rudrakh Panigrahi <rudrakh97@gmail.com> Signed-off-by: Sadmi Bouhafs <sadmibouhafs@gmail.com>
zhaohuabing
added a commit
to zhaohuabing/gateway
that referenced
this pull request
Mar 10, 2026
…ing (envoyproxy#8009)" This reverts commit a97d57a. Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR extends the SecurityPolicy API to support L4 IP filtering by adding a new
SourceCIDRsfield to thePrincipalstruct.Currently, IP filtering in SecurityPolicy (using clientCIDRs) relies on L7 IP detection (e.g., X-Forwarded-For), which processes requests through the L7 filter chain before returning an RBAC error. As discussed in #7825, it is preferable to have a mechanism to drop connections early at the network level based on the direct peer IP.
By adding SourceCIDRs, we provide the API foundation to: