RBAC

This extension has the qualified name envoy.filters.http.rbac

Note

This extension is intended to be robust against untrusted downstream traffic. It assumes that the upstream is trusted.

Tip

This extension extends and can be used with the following extension category:

This extension must be configured with one of the following type URLs:

Role-Based Access Control configuration overview.

extensions.filters.http.rbac.v3.RBAC

[extensions.filters.http.rbac.v3.RBAC proto]

RBAC filter config.

{
  "rules": "{...}",
  "matcher": "{...}",
  "shadow_rules": "{...}",
  "shadow_matcher": "{...}",
  "shadow_rules_stat_prefix": "..."
}
rules

(config.rbac.v3.RBAC) Specify the RBAC rules to be applied globally. If absent, no enforcing RBAC policy will be applied. If present and empty, DENY. If both rules and matcher are configured, rules will be ignored.

matcher

(.xds.type.matcher.v3.Matcher) The match tree to use when resolving RBAC action for incoming requests. Requests do not match any matcher will be denied. If absent, no enforcing RBAC matcher will be applied. If present and empty, deny all requests.

Warning

This API feature is currently work-in-progress. API features marked as work-in-progress are not considered stable, are not covered by the threat model, are not supported by the security team, and are subject to breaking changes. Do not use this feature without understanding each of the previous points.

shadow_rules

(config.rbac.v3.RBAC) Shadow rules are not enforced by the filter (i.e., returning a 403) but will emit stats and logs and can be used for rule testing. If absent, no shadow RBAC policy will be applied. If both shadow rules and shadow matcher are configured, shadow rules will be ignored.

shadow_matcher

(.xds.type.matcher.v3.Matcher) The match tree to use for emitting stats and logs which can be used for rule testing for incoming requests. If absent, no shadow matcher will be applied.

Warning

This API feature is currently work-in-progress. API features marked as work-in-progress are not considered stable, are not covered by the threat model, are not supported by the security team, and are subject to breaking changes. Do not use this feature without understanding each of the previous points.

shadow_rules_stat_prefix

(string) If specified, shadow rules will emit stats with the given prefix. This is useful to distinguish the stat when there are more than 1 RBAC filter configured with shadow rules.

extensions.filters.http.rbac.v3.RBACPerRoute

[extensions.filters.http.rbac.v3.RBACPerRoute proto]

{
  "rbac": "{...}"
}
rbac

(extensions.filters.http.rbac.v3.RBAC) Override the global configuration of the filter with this new config. If absent, the global RBAC policy will be disabled for this route.