Filter IPs using istio instead of in the load balancer (#1214)

moritzkiefer-da · cocreature · web-flow · commit c08ad57271eb · 2025-06-25T16:04:35.000+02:00
* Filter IPs using istio instead of in the load balancer I tested: 1. Deploy the infra stack on a scratchnet 2. Add a few thousand IPs and test that nothing seems to explode. 3. Validate that access from another scratchnet fails. 4. Add the IP from the other scratchnet at the end of the few thousand IPs. 5. Validate that access works. 6. Remove IP and check that access fails again. [static] Signed-off-by: Moritz Kiefer <moritz.kiefer@purelyfunctional.org> * expected files [static] Signed-off-by: Moritz Kiefer <moritz.kiefer@purelyfunctional.org> * issue link fixes DACH-NY/canton-network-internal#626 [static] Signed-off-by: Moritz Kiefer <moritz.kiefer@purelyfunctional.org> * allow node pool ips [static] Signed-off-by: Moritz Kiefer <moritz.kiefer@purelyfunctional.org> * fmt or something [static] Signed-off-by: Moritz Kiefer <moritz.kiefer@purelyfunctional.org> --------- Signed-off-by: Moritz Kiefer <moritz.kiefer@purelyfunctional.org> Co-authored-by: Moritz Kiefer <moritz.kiefer@purelyfunctional.org>
diff --git a/cluster/expected/infra/expected.json b/cluster/expected/infra/expected.json
@@ -1103,6 +1103,132 @@
     "provider": "",
     "type": "kubernetes:cert-manager.io/v1:Issuer"
   },
+  {
+    "custom": true,
+    "id": "",
+    "inputs": {
+      "apiVersion": "security.istio.io/v1beta1",
+      "kind": "AuthorizationPolicy",
+      "metadata": {
+        "name": "istio-access-policy-allow-0",
+        "namespace": "cluster-ingress"
+      },
+      "spec": {
+        "action": "ALLOW",
+        "rules": [
+          {
+            "from": [
+              {
+                "source": {
+                  "remoteIpBlocks": [
+                    "<internal IPs>",
+                    "1.2.3.4/32",
+                    "5.6.7.8/32",
+                    "11.12.13.14/32",
+                    "4.3.2.1/32",
+                    "8.7.6.5/32",
+                    "8.7.6.4/32",
+                    "9.8.7.6/32",
+                    "11.22.33.45/32",
+                    "12.34.56.78/32",
+                    "10.160.0.0/16"
+                  ]
+                }
+              }
+            ]
+          }
+        ],
+        "selector": {
+          "matchLabels": {
+            "app": "istio-ingress"
+          }
+        }
+      }
+    },
+    "name": "istio-access-policy-allow-0",
+    "provider": "",
+    "type": "kubernetes:security.istio.io/v1beta1:AuthorizationPolicy"
+  },
+  {
+    "custom": true,
+    "id": "",
+    "inputs": {
+      "apiVersion": "security.istio.io/v1beta1",
+      "kind": "AuthorizationPolicy",
+      "metadata": {
+        "name": "istio-access-policy-allow-public-0",
+        "namespace": "cluster-ingress"
+      },
+      "spec": {
+        "action": "ALLOW",
+        "rules": [
+          {
+            "from": [
+              {
+                "source": {
+                  "remoteIpBlocks": [
+                    "0.0.0.0/0"
+                  ]
+                }
+              }
+            ]
+          }
+        ],
+        "selector": {
+          "matchLabels": {
+            "app": "istio-ingress-public"
+          }
+        }
+      }
+    },
+    "name": "istio-access-policy-allow-public-0",
+    "provider": "",
+    "type": "kubernetes:security.istio.io/v1beta1:AuthorizationPolicy"
+  },
+  {
+    "custom": true,
+    "id": "",
+    "inputs": {
+      "apiVersion": "security.istio.io/v1beta1",
+      "kind": "AuthorizationPolicy",
+      "metadata": {
+        "name": "istio-access-policy-deny-all-public",
+        "namespace": "cluster-ingress"
+      },
+      "spec": {
+        "selector": {
+          "matchLabels": {
+            "app": "istio-ingress-public"
+          }
+        }
+      }
+    },
+    "name": "istio-access-policy-deny-all-public",
+    "provider": "",
+    "type": "kubernetes:security.istio.io/v1beta1:AuthorizationPolicy"
+  },
+  {
+    "custom": true,
+    "id": "",
+    "inputs": {
+      "apiVersion": "security.istio.io/v1beta1",
+      "kind": "AuthorizationPolicy",
+      "metadata": {
+        "name": "istio-access-policy-deny-all",
+        "namespace": "cluster-ingress"
+      },
+      "spec": {
+        "selector": {
+          "matchLabels": {
+            "app": "istio-ingress"
+          }
+        }
+      }
+    },
+    "name": "istio-access-policy-deny-all",
+    "provider": "",
+    "type": "kubernetes:security.istio.io/v1beta1:AuthorizationPolicy"
+  },
   {
     "custom": true,
     "id": "",
@@ -1321,16 +1447,7 @@
         "service": {
           "externalTrafficPolicy": "Local",
           "loadBalancerSourceRanges": [
-            "<internal IPs>",
-            "1.2.3.4/32",
-            "5.6.7.8/32",
-            "11.12.13.14/32",
-            "4.3.2.1/32",
-            "8.7.6.5/32",
-            "8.7.6.4/32",
-            "9.8.7.6/32",
-            "11.22.33.45/32",
-            "12.34.56.78/32"
+            "0.0.0.0/0"
           ],
           "ports": [
             {
diff --git a/cluster/pulumi/common/src/dump-config-common.ts b/cluster/pulumi/common/src/dump-config-common.ts
@@ -14,6 +14,7 @@ export enum PulumiFunction {
   GCP_GET_PROJECT = 'gcp:organizations/getProject:getProject',
   GCP_GET_SUB_NETWORK = 'gcp:compute/getSubnetwork:getSubnetwork',
   GCP_GET_SECRET_VERSION = 'gcp:secretmanager/getSecretVersion:getSecretVersion',
+  GCP_GET_CLUSTER = 'gcp:container/getCluster:getCluster',
 }
 
 export class SecretsFixtureMap extends Map<string, Auth0ClientSecret> {
@@ -176,6 +177,10 @@ export async function initDumpConfig(): Promise<void> {
               );
               break;
             }
+          case PulumiFunction.GCP_GET_CLUSTER:
+            return {
+              nodePools: [{ networkConfigs: [{ podIpv4CidrBlock: '10.160.0.0/16' }] }],
+            };
           case PulumiFunction.GCP_GET_SECRET_VERSION:
             if (args.inputs.secret.startsWith('sv') && args.inputs.secret.endsWith('-id')) {
               return {
diff --git a/cluster/pulumi/infra/src/istio.ts b/cluster/pulumi/infra/src/istio.ts
@@ -1,5 +1,6 @@
 // Copyright (c) 2024 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
 // SPDX-License-Identifier: Apache-2.0
+import * as gcp from '@pulumi/gcp';
 import * as k8s from '@pulumi/kubernetes';
 import * as pulumi from '@pulumi/pulumi';
 import { local } from '@pulumi/command';
@@ -8,8 +9,10 @@ import { PodMonitor, ServiceMonitor } from 'splice-pulumi-common/src/metrics';
 
 import {
   activeVersion,
+  CLUSTER_NAME,
   DecentralizedSynchronizerUpgradeConfig,
   ExactNamespace,
+  GCP_PROJECT,
   getDnsNames,
   HELM_MAX_HISTORY_SIZE,
   infraAffinityAndTolerations,
@@ -154,6 +157,16 @@ function configureInternalGatewayService(
   ingressIp: pulumi.Output<string>,
   istiod: k8s.helm.v3.Release
 ) {
+  const cluster = gcp.container.getCluster({
+    name: CLUSTER_NAME,
+    project: GCP_PROJECT,
+  });
+  // The loopback traffic would be prevented by our policy. To still allow it, we
+  // add the node pool ip ranges to the list.
+  // eslint-disable-next-line promise/prefer-await-to-then
+  const internalIPRanges = cluster.then(c =>
+    c.nodePools.map(p => p.networkConfigs.map(c => c.podIpv4CidrBlock)).flat()
+  );
   const externalIPRanges = loadIPRanges();
   // see notes when installing a CometBft node in the full deployment
   const cometBftIngressPorts = DecentralizedSynchronizerUpgradeConfig.runningMigrations()
@@ -166,7 +179,7 @@ function configureInternalGatewayService(
   return configureGatewayService(
     ingressNs,
     ingressIp,
-    externalIPRanges,
+    pulumi.all([externalIPRanges, internalIPRanges]).apply(([a, b]) => a.concat(b)),
     [
       ingressPort('grpc-cd-pub-api', 5008),
       ingressPort('grpc-cs-p2p-api', 5010),
@@ -286,6 +299,57 @@ function configurePublicGatewayService(
   );
 }
 
+const istioApiVersion = 'security.istio.io/v1beta1';
+
+function istioAccessPolicies(
+  ingressNs: k8s.core.v1.Namespace,
+  externalIPRanges: pulumi.Output<string[]>,
+  suffix: string
+) {
+  const selector = {
+    matchLabels: {
+      app: `istio-ingress${suffix}`,
+    },
+  };
+  const defaultDenyAll = new k8s.apiextensions.CustomResource(
+    `istio-access-policy-deny-all${suffix}`,
+    {
+      apiVersion: istioApiVersion,
+      kind: 'AuthorizationPolicy',
+      metadata: {
+        name: `istio-access-policy-deny-all${suffix}`,
+        namespace: ingressNs.metadata.name,
+      },
+      // empty spec is deny all
+      spec: { selector },
+    }
+  );
+  return externalIPRanges.apply(ipRanges => {
+    // There doesn't seem to be an istio-level limit on number of IP lists but at some point we probably hit some k8s limits on the size of a definition so we split it into 100 IP ranges per policy.
+    const chunkSize = 100;
+    const chunks = Array.from({ length: Math.ceil(ipRanges.length / chunkSize) }, (_, i) =>
+      ipRanges.slice(i * chunkSize, i * chunkSize + chunkSize)
+    );
+    const policies = chunks.map(
+      (chunk, i) =>
+        new k8s.apiextensions.CustomResource(`istio-access-policy-allow${suffix}-${i}`, {
+          apiVersion: istioApiVersion,
+          kind: 'AuthorizationPolicy',
+          metadata: {
+            name: `istio-access-policy-allow${suffix}-${i}`,
+            namespace: ingressNs.metadata.name,
+          },
+          spec: {
+            selector,
+            action: 'ALLOW',
+            rules: [{ from: [{ source: { remoteIpBlocks: chunk } }] }],
+          },
+        })
+    );
+    return [defaultDenyAll].concat(policies);
+  });
+}
+
 // Note that despite the helm chart name being "gateway", this does not actually
 // deploy an istio "gateway" resource, but rather the istio-ingress LoadBalancer
 // service and the istio-ingress pod.
@@ -297,6 +361,7 @@ function configureGatewayService(
   istiod: k8s.helm.v3.Release,
   suffix: string
 ) {
+  const istioPolicies = istioAccessPolicies(ingressNs, externalIPRanges, suffix);
   const gateway = new k8s.helm.v3.Release(
     `istio-ingress${suffix}`,
     {
@@ -326,7 +391,9 @@ function configureGatewayService(
         },
         service: {
           loadBalancerIP: ingressIp,
-          loadBalancerSourceRanges: externalIPRanges,
+          // We limit IPs using istio instead of through loadBalancerSourceRanges as the latter has a size limit.
+          // See https://github.com/DACH-NY/canton-network-internal/issues/626
+          loadBalancerSourceRanges: ['0.0.0.0/0'],
           // See https://istio.io/latest/docs/tasks/security/authorization/authz-ingress/#network
           // If you are using a TCP/UDP network load balancer that preserves the client IP address ..
           // then you can use the externalTrafficPolicy: Local setting to also preserve the client IP inside Kubernetes by bypassing kube-proxy
@@ -343,7 +410,10 @@ function configureGatewayService(
       maxHistory: HELM_MAX_HISTORY_SIZE,
     },
     {
-      dependsOn: [ingressNs, istiod],
+      dependsOn: istioPolicies.apply(policies => {
+        const base: pulumi.Resource[] = [ingressNs, istiod];
+        return base.concat(policies);
+      }),
     }
   );
   // Turn on envoy access logging on the ingress gateway
