RBAC (proto)
This extension has the qualified name envoy.filters.http.rbac
Note
This extension is intended to be robust against untrusted downstream traffic. It assumes that the upstream is trusted.
Tip
This extension extends and can be used with the following extension category:
This extension must be configured with one of the following type URLs:
Role-Based Access Control configuration overview.
extensions.filters.http.rbac.v3.RBAC
[extensions.filters.http.rbac.v3.RBAC proto]
RBAC filter config.
{
"rules": {...},
"rules_stat_prefix": ...,
"matcher": {...},
"shadow_rules": {...},
"shadow_matcher": {...},
"shadow_rules_stat_prefix": ...,
"track_per_rule_stats": ...
}
- rules
(config.rbac.v3.RBAC) Specify the RBAC rules to be applied globally. If absent, no enforcing RBAC policy will be applied. If present and empty, DENY. If both rules and matcher are configured, rules will be ignored.
- rules_stat_prefix
(string) If specified, rules will emit stats with the given prefix. This is useful to distinguish the stat when there are more than 1 RBAC filter configured with rules.
- matcher
(.xds.type.matcher.v3.Matcher) The match tree to use when resolving RBAC action for incoming requests. Requests do not match any matcher will be denied. If absent, no enforcing RBAC matcher will be applied. If present and empty, deny all requests.
Warning
This API feature is currently work-in-progress. API features marked as work-in-progress are not considered stable, are not covered by the threat model, are not supported by the security team, and are subject to breaking changes. Do not use this feature without understanding each of the previous points.
- shadow_rules
(config.rbac.v3.RBAC) Shadow rules are not enforced by the filter (i.e., returning a 403) but will emit stats and logs and can be used for rule testing. If absent, no shadow RBAC policy will be applied. If both shadow rules and shadow matcher are configured, shadow rules will be ignored.
- shadow_matcher
(.xds.type.matcher.v3.Matcher) The match tree to use for emitting stats and logs which can be used for rule testing for incoming requests. If absent, no shadow matcher will be applied.
Warning
This API feature is currently work-in-progress. API features marked as work-in-progress are not considered stable, are not covered by the threat model, are not supported by the security team, and are subject to breaking changes. Do not use this feature without understanding each of the previous points.
- shadow_rules_stat_prefix
(string) If specified, shadow rules will emit stats with the given prefix. This is useful to distinguish the stat when there are more than 1 RBAC filter configured with shadow rules.
- track_per_rule_stats
(bool) If track_per_rule_stats is true, counters will be published for each rule and shadow rule.
extensions.filters.http.rbac.v3.RBACPerRoute
[extensions.filters.http.rbac.v3.RBACPerRoute proto]
{
"rbac": {...}
}
- rbac
(extensions.filters.http.rbac.v3.RBAC) Override the global configuration of the filter with this new config. If absent, the global RBAC policy will be disabled for this route.