RBAC (proto)

This extension has the qualified name envoy.filters.http.rbac

Note

This extension is intended to be robust against untrusted downstream traffic. It assumes that the upstream is trusted.

Tip

This extension extends and can be used with the following extension category:

This extension must be configured with one of the following type URLs:

Role-Based Access Control configuration overview.

extensions.filters.http.rbac.v3.RBAC

[extensions.filters.http.rbac.v3.RBAC proto]

RBAC filter config.

{
  "rules": {...},
  "rules_stat_prefix": ...,
  "matcher": {...},
  "shadow_rules": {...},
  "shadow_matcher": {...},
  "shadow_rules_stat_prefix": ...,
  "track_per_rule_stats": ...
}
rules

(config.rbac.v3.RBAC) The primary RBAC policy which will be applied globally, to all the incoming requests.

  • If absent, no RBAC enforcement occurs.

  • If set but empty, all requests are denied.

Note

When both rules and matcher are configured, rules will be ignored.

rules_stat_prefix

(string) If specified, rules will emit stats with the given prefix. This is useful for distinguishing metrics when multiple RBAC filters are configured.

matcher

(.xds.type.matcher.v3.Matcher) Match tree for evaluating RBAC actions on incoming requests. Requests not matching any matcher will be denied.

  • If absent, no RBAC enforcement occurs.

  • If set but empty, all requests are denied.

shadow_rules

(config.rbac.v3.RBAC) Shadow policy for testing RBAC rules without enforcing them. These rules generate stats and logs but do not deny requests. If absent, no shadow RBAC policy will be applied.

Note

When both shadow_rules and shadow_matcher are configured, shadow_rules will be ignored.

shadow_matcher

(.xds.type.matcher.v3.Matcher) If absent, no shadow matcher will be applied. Match tree for testing RBAC rules through stats and logs without enforcing them. If absent, no shadow matching occurs.

Warning

This API feature is currently work-in-progress. API features marked as work-in-progress are not considered stable, are not covered by the threat model, are not supported by the security team, and are subject to breaking changes. Do not use this feature without understanding each of the previous points.

shadow_rules_stat_prefix

(string) If specified, shadow rules will emit stats with the given prefix. This is useful for distinguishing metrics when multiple RBAC filters use shadow rules.

track_per_rule_stats

(bool) If track_per_rule_stats is true, counters will be published for each rule and shadow rule.

extensions.filters.http.rbac.v3.RBACPerRoute

[extensions.filters.http.rbac.v3.RBACPerRoute proto]

{
  "rbac": {...}
}
rbac

(extensions.filters.http.rbac.v3.RBAC) Per-route specific RBAC configuration that overrides the global RBAC configuration. If absent, RBAC policy will be disabled for this route.