Skip to content

api: GeoIP#8002

Draft
zhaohuabing wants to merge 1 commit intoenvoyproxy:mainfrom
zhaohuabing:geoip-api
Draft

api: GeoIP#8002
zhaohuabing wants to merge 1 commit intoenvoyproxy:mainfrom
zhaohuabing:geoip-api

Conversation

@zhaohuabing
Copy link
Member

@zhaohuabing zhaohuabing commented Jan 21, 2026
edited
Loading

API for #4412 for discussion.

API:

  • Extend SecurityPolicy with a geoip block that configures client IP detection, provider selection, and allow/deny rules.
  • Support local MaxMind databases by exposing file paths (operators mount them via EnvoyProxy volumes).
  • Enforce access control within the GeoIP section.

Example:

  1. Create a PVC and mount it into Envoy via EnvoyProxy.spec.provider.kubernetes.pod.{volumes,container.volumeMounts}.
  2. Run MaxMind’s geoipupdate as a sidecar writing into the shared mount.
  3. Reference the .mmdb paths from a SecurityPolicy:
geoip:
  source:
    type: XFF
    xff:
      trustedHops: 2
  provider:
    type: MaxMind
    maxMind:
      cityDbPath: /var/lib/geoip/GeoLite2-City.mmdb
      asnDbPath: /var/lib/geoip/GeoLite2-ASN.mmdb
  access:
    rules:
      - action: Deny
        countries: ["AB","CD"]

This keeps vendor-specific download logic out of Envoy Gateway while giving users a native way to enforce GeoIP-based policies.

Alternate approach:

Push GeoIP decisions into SecurityPolicy.authorization by matching on the headers the GeoIP filter emits. That technically works (you’d add header conditions under uthorization.rules[].principal.headers), but it’s brittle: users must remember the exact header names, every policy has to duplicate the boilerplate, and any future header renames become breaking. Embedding allow/deny rules inside the geoip block keeps the UX intuitive—configure lookup + provider + enforcement in one place—and lets the controller manage header wiring internally.

@zhaohuabing zhaohuabing requested a review from a team as a code owner January 21, 2026 02:49
@netlify
Copy link

netlify bot commented Jan 21, 2026
edited
Loading

Deploy Preview for cerulean-figolla-1f9435 ready!

Name Link
🔨 Latest commit e930544
🔍 Latest deploy log https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/6971fd78538f1500082f47d6
😎 Deploy Preview https://deploy-preview-8002--cerulean-figolla-1f9435.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@zhaohuabing zhaohuabing marked this pull request as draft January 21, 2026 02:49
@zhaohuabing zhaohuabing force-pushed the geoip-api branch 2 times, most recently from dd737d9 to 16882c2 Compare January 21, 2026 02:55
@codecov
Copy link

codecov bot commented Jan 21, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.48%. Comparing base (33d80db) to head (e930544).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #8002      +/-   ##
==========================================
- Coverage   73.54%   73.48%   -0.06%     
==========================================
  Files         237      237              
  Lines       35631    35631              
==========================================
- Hits        26204    26185      -19     
- Misses       7566     7582      +16     
- Partials     1861     1864       +3

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@zhaohuabing zhaohuabing mentioned this pull request Jan 21, 2026
Open
@zhaohuabing zhaohuabing marked this pull request as ready for review January 21, 2026 03:06
@zhaohuabing zhaohuabing force-pushed the geoip-api branch 3 times, most recently from 3a6461f to b56a4b1 Compare January 21, 2026 04:00
@zhaohuabing zhaohuabing changed the title API: GeoIP api: GeoIP Jan 21, 2026
@zhaohuabing
API: GeoIP
e930544 
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
@funkluk
Copy link

funkluk commented Jan 22, 2026
edited by zhaohuabing
Loading

Hi @zhaohuabing
Thanks for your effort - we would look forward to having such a feature!
IMHO, I would rather see a solution more like the one you described in the alternative approach.
I see three parts in your configuration:

  1. ClientIP Source
  2. GeoIP Database source
  3. Access rules based on geo information

Client IP Source

In my opinion, this setting is redundant to [ClientIPDetectionSettings](https://gateway.envoyproxy.io/latest/api/extension_types/#clientipdetectionsettings) from ClientTrafficPolicy`.
Therefore, I wouldn't repeat that here and rely on this setting.
Or do you see a use-case that would make sense to have two separate settings?

Envoy allows the different XFF configuration for HCM and GeoIP filter, I don't know the exact reason, but there might be use cases that they could be different?

Huabing:
Envoy supports configuring XFF differently for HCM and the GeoIP filter. I’m not sure why, but there may be edge cases where they need to diverge.

One possible use case is that different routes may need different XFF settings (e.g., different source headers or different hop counts). That isn’t feasible with ClientTrafficPolicy today since it applies at the Gateway level, not per-route.

Another concern with this approach is that it would generate XFF configuration for both the HCM and the GeoIP filter. That could have unintended side effects in cases where HCM-level XFF configuration isn’t desired.

That said, I think consolidating this in one place in the control plane is a better UX and helps avoid misconfiguration. An optional XFF configuration in the SecurityPolicy should also be supported to allow route-level configuration.

ref:

GeoIP Database source

The database source is an infrastructure responsibility, and I don't see that this information should be provided for each SecurityPolicy. As an application owner, I just want to enable GeoIP access rules without the need to know where the DB is located.
Besides, you might want to have the geo information in the access logs, so this would also require configuring geolocation detection on a cluster level.
Therefore, I would see the option to enable a GeoIP Provider on a cluster level, for example, in the EnvoyProxy or EnvoyGatway spec.

Huabing:
Agree, it makes more sense to share the provider info across SPs.

Access rules

I think configuring access decision with geo location information as part of the SecurityPolicy.authorization rules would be the way to go. I agree with your concern about using the existing header principal. But what would you think about extending principal with geoLocation or clientLocation?

geolocation:
    countries: ["AB", "CD"]
    cities: []
    asns: []
    ...

This would ensure that the geo information population and the headers to match are entirely within the responsibility of the controller manager.

Huabing:
Yeah, this would work, and it allows using geo information with other conditions for more flexible access control.

What do you think?

Huabing:
All the suggestions are legitimate. One main concern I have is that GeoIP configuration would be spread across four places:

  • EnvoyGateway / EnvoyProxy for providers
  • ClientTrafficPolicy for source IP
  • SecurityPolicy (GeoIP) for the provider reference
  • SecurityPolicy (Authorization) for access control

That feels harder for users to understand and configure correctly.

@zhaohuabing zhaohuabing marked this pull request as draft January 23, 2026 07:15
@sboulkour
Copy link

sboulkour commented Feb 11, 2026

Hi @zhaohuabing, do you know if this a PR that could be shipped with v1.8.0 ?

My team and I are currently benchmarking possible replacement of ingress-nginx, and Envoy Gateway has been a great candidate so far. Except on one mandatory feature for us that is GeoIP filtering (to deny countries under embargo). I know this is debatable in terms of real protection, but this is more of a legal matter and we can't do this without this feature.

BTW, thank you very much for your work (you personnaly and Envoy/Gateway teams in general) on this project !

@zhaohuabing
Copy link
Member Author

zhaohuabing commented Feb 11, 2026
edited
Loading

@funkluk replied to your comment inline(text in italics) to make it easier to follow.

@zhaohuabing
Copy link
Member Author

zhaohuabing commented Feb 11, 2026
edited
Loading

@sboulkour No guarantees, but aiming for v1.8.0 — and it looks very likely if we can agree on the API.

@zhaohuabing zhaohuabing added this to the v1.8.0-rc.1 Release milestone Feb 12, 2026
@funkluk
Copy link

funkluk commented Feb 13, 2026

@zhaohuabing seems like we are on the same page, and I fully agree that the drawback is that the config is a bit more cluttered. But on the other hand, it allows IMHO a more flexible usage.

Two last remarks:

  1. I'm not sure if we currently need more than one provider, as Envoy proxy has no other implementation than the MaxMind provider. I don't see a practical use-case of having two different database sets in the same gateway... This would also remove the requirement that we have to select the provider in the SecurityPolicy

  2. IMHO I'd wait before implementing an XFF configuration on route-level until someone comes up with the actual need...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

v1.8.0-rc.1 Release

Development

Successfully merging this pull request may close these issues.

3 participants

@zhaohuabing @funkluk @sboulkour

Comments