Skip to content

Add CSRF policy support to TrafficPolicy #11302

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
npolshakova merged 15 commits into from
Jun 16, 2025
Merged

Add CSRF policy support to TrafficPolicy #11302

npolshakova merged 15 commits into from
Jun 16, 2025

Conversation

@ymesika
Copy link
Contributor

@ymesika ymesika commented May 29, 2025

Description

PR adds support for configuring a CSRF policy in the TrafficPolicy.
This translates into Envoy's CSRF filter.

Fixes #11186

Change Type

/kind new_feature

Changelog

Support for CSRF policy has been added to the TrafficPolicy.

Additional Notes

Copilot AI review requested due to automatic review settings May 29, 2025 06:52
@github-actions github-actions bot added kind/feature Categorizes issue or PR as related to a new feature. release-note labels May 29, 2025
Copilot AI reviewed May 29, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Adds support for a new CSRF policy on TrafficPolicy, translating it into Envoy’s CSRF filter and providing end-to-end tests.

  • Introduces a new csrf feature package with manifests and e2e tests.
  • Extends the API (types, deepcopy, applyconfig, CRD) to include CsrfPolicy.
  • Updates the traffic policy plugin to translate and insert the Envoy CSRF filter.

Reviewed Changes

Copilot reviewed 19 out of 19 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
test/kubernetes/e2e/tests/kgateway_tests.go Imports and registers the new CSRF testing suite
test/kubernetes/e2e/features/csrf/{types.go,suite.go,testdata/*.yaml} New CSRF test suite, helper types, and YAML manifests
internal/kgateway/setup/testdata/standard/{csrf-.yaml,csrf--out.yaml} Standard input/output test data for CSRF route & gateway
internal/kgateway/extensions2/plugins/trafficpolicy/traffic_policy_plugin.go Translation and filter insertion logic for CSRF
api/v1alpha1/traffic_policy_types.go Adds CsrfPolicy field and type definition
install/helm/kgateway-crds/templates/gateway.kgateway.dev_trafficpolicies.yaml Updates CRD schema to include CSRF settings
Comments suppressed due to low confidence (2)

test/kubernetes/e2e/features/csrf/suite.go:99

  • There’s no test for the shadow-only mode (PercentageShadowed). Add a case where PercentageEnabled is 0 and PercentageShadowed is non-zero to verify CSRF shadow behavior.
func (s *testingSuite) TestRouteLevelCSRF() {

internal/kgateway/extensions2/plugins/trafficpolicy/traffic_policy_plugin.go:1262

  • The code references envoy_core_v3.RuntimeFractionalPercent but the core v3 package isn’t imported. Please add github.com/envoyproxy/go-control-plane/envoy/config/core/v3 aliased as envoy_core_v3.
FilterEnabled: &envoy_core_v3.RuntimeFractionalPercent{

nfuden
nfuden reviewed May 31, 2025
View reviewed changes
internal/kgateway/extensions2/plugins/trafficpolicy/traffic_policy_plugin.go Outdated
}
if _, ok := p.csrfInChain[fcn]; !ok {
p.csrfInChain[fcn] = &envoy_csrf_v3.CsrfPolicy{
FilterEnabled: &envoy_core_v3.RuntimeFractionalPercent{
Copy link
Contributor

@nfuden nfuden May 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have we started a discussion on how to handle runtime keys?
I think we may want a doc or at least a discussion in a community meeting or something to codify it.

Namely I state this as runtimefractionals WITHOUT a key have bitten previous implementations pretty hard and I think we need to decide early if we want to try to plumb the runtime key naming in interesting ways

Copy link
Contributor Author

@ymesika ymesika Jun 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nfuden This is "empty" filter being added to filter chain just so that the inner policies will be applied. The typed filter config do have runtime keys (here and here). (I will push a commit that changes the keys to envoy.csrf.filter_enabled and envoy.csrf.shadow_enabled though).

As for the generic approach, I can open an issue for this to track and discuss this over it.

sam-heilbron
sam-heilbron reviewed Jun 4, 2025
View reviewed changes
dhaifley
dhaifley approved these changes Jun 4, 2025
View reviewed changes
Copy link
Contributor

@dhaifley dhaifley left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not a write access contributor, but I have reviewed this PR and verified the end to end test appears valid and passes in my local environment. Given what I know of it, the CSRF policy implementation looks good.

@ymesika ymesika requested a review from npolshakova June 11, 2025 15:19
sam-heilbron
sam-heilbron reviewed Jun 11, 2025
View reviewed changes
Copy link
Contributor

@sam-heilbron sam-heilbron left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm!

api/v1alpha1/shared_types.go
// Example: abc matches the value xyz.abc
Suffix string `json:"suffix,omitempty"`

// The input string must match the Google RE2 regular expression specified here.
Copy link
Contributor

@sam-heilbron sam-heilbron Jun 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"must match" to me implies that some behavior will occur if it does not. Could/Should we clarify that?

Copy link
Contributor Author

@ymesika ymesika Jun 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please help with phrasing it in clearer way?
I took this from: https://www.envoyproxy.io/docs/envoy/latest/api-v3/type/matcher/v3/string.proto#envoy-v3-api-msg-type-matcher-v3-stringmatcher

Copy link
Contributor

@danehans danehans Jun 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 to be consistent with Envoy stringmatcher.

danehans
danehans reviewed Jun 11, 2025
View reviewed changes
@sam-heilbron sam-heilbron added this pull request to the merge queue Jun 16, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Jun 16, 2025
npolshakova
npolshakova reviewed Jun 16, 2025
View reviewed changes
npolshakova
npolshakova reviewed Jun 16, 2025
View reviewed changes
@npolshakova npolshakova added this pull request to the merge queue Jun 16, 2025
Merged via the queue into kgateway-dev:main with commit 76c3b8d Jun 16, 2025
20 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@danehans danehans danehans approved these changes

@sam-heilbron sam-heilbron sam-heilbron approved these changes

@npolshakova npolshakova npolshakova approved these changes

@nfuden nfuden Awaiting requested review from nfuden

+1 more reviewer

@dhaifley dhaifley dhaifley approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

kind/feature Categorizes issue or PR as related to a new feature. release-note

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Implement CSRF

6 participants

@ymesika @danehans @sam-heilbron @dhaifley @npolshakova @nfuden