RBAC (proto)
This extension has the qualified name envoy.filters.http.rbac
Note
This extension is intended to be robust against untrusted downstream traffic. It assumes that the upstream is trusted.
Tip
This extension extends and can be used with the following extension category:
This extension must be configured with one of the following type URLs:
Role-Based Access Control configuration overview.
extensions.filters.http.rbac.v3.RBAC
[extensions.filters.http.rbac.v3.RBAC proto]
RBAC filter config.
{
"rules": {...},
"rules_stat_prefix": ...,
"matcher": {...},
"shadow_rules": {...},
"shadow_matcher": {...},
"shadow_rules_stat_prefix": ...,
"track_per_rule_stats": ...
}
- rules
(config.rbac.v3.RBAC) The primary RBAC policy which will be applied globally, to all the incoming requests.
If absent, no RBAC enforcement occurs.
If set but empty, all requests are denied.
Note
When both
rules
andmatcher
are configured,rules
will be ignored.
- rules_stat_prefix
(string) If specified, rules will emit stats with the given prefix. This is useful for distinguishing metrics when multiple RBAC filters are configured.
- matcher
(.xds.type.matcher.v3.Matcher) Match tree for evaluating RBAC actions on incoming requests. Requests not matching any matcher will be denied.
If absent, no RBAC enforcement occurs.
If set but empty, all requests are denied.
- shadow_rules
(config.rbac.v3.RBAC) Shadow policy for testing RBAC rules without enforcing them. These rules generate stats and logs but do not deny requests. If absent, no shadow RBAC policy will be applied.
Note
When both
shadow_rules
andshadow_matcher
are configured,shadow_rules
will be ignored.
- shadow_matcher
(.xds.type.matcher.v3.Matcher) If absent, no shadow matcher will be applied. Match tree for testing RBAC rules through stats and logs without enforcing them. If absent, no shadow matching occurs.
Warning
This API feature is currently work-in-progress. API features marked as work-in-progress are not considered stable, are not covered by the threat model, are not supported by the security team, and are subject to breaking changes. Do not use this feature without understanding each of the previous points.
- shadow_rules_stat_prefix
(string) If specified, shadow rules will emit stats with the given prefix. This is useful for distinguishing metrics when multiple RBAC filters use shadow rules.
- track_per_rule_stats
(bool) If
track_per_rule_stats
istrue
, counters will be published for each rule and shadow rule.
extensions.filters.http.rbac.v3.RBACPerRoute
[extensions.filters.http.rbac.v3.RBACPerRoute proto]
{
"rbac": {...}
}
- rbac
(extensions.filters.http.rbac.v3.RBAC) Per-route specific RBAC configuration that overrides the global RBAC configuration. If absent, RBAC policy will be disabled for this route.