RBAC upstream IP and port matcher plugin (proto)

This extension has the qualified name envoy.rbac.matchers.upstream_ip_port

Note

This extension is functional but has not had substantial production burn time, use only with this caveat.

This extension has an unknown security posture and should only be used in deployments where both the downstream and upstream are trusted.

Tip

This extension extends and can be used with the following extension category:

This extension must be configured with one of the following type URLs:

extensions.rbac.matchers.upstream_ip_port.v3.UpstreamIpPortMatcher

[extensions.rbac.matchers.upstream_ip_port.v3.UpstreamIpPortMatcher proto]

This is configuration for matching upstream ip and port. Note that although both fields are optional, at least one of IP or port must be supplied. If only one is supplied the other is a wildcard match. This matcher requires a filter in the chain to have saved the upstream address in the filter state before the matcher is executed by RBAC filter. The state should be saved with key envoy.stream.upstream_address (See upstream_address.h). Also, See proxy_filter.cc for an example of a filter which populates the FilterState.

{
  "upstream_ip": {...},
  "upstream_port_range": {...}
}
upstream_ip

(config.core.v3.CidrRange) A CIDR block that will be used to match the upstream IP. Both Ipv4 and Ipv6 ranges can be matched.

upstream_port_range

(type.v3.Int64Range) A port range that will be used to match the upstream port.