This extension may be referenced by the qualified name envoy.filters.network.rbac


This extension is intended to be robust against untrusted downstream traffic. It assumes that the upstream is trusted.

Role-Based Access Control configuration overview.


[config.filter.network.rbac.v2.RBAC proto]

RBAC network filter config.

Header should not be used in rules/shadow_rules in RBAC network filter as this information is only available in RBAC http filter.

  "rules": "{...}",
  "shadow_rules": "{...}",
  "stat_prefix": "...",
  "enforcement_type": "..."

(config.rbac.v2.RBAC) Specify the RBAC rules to be applied globally. If absent, no enforcing RBAC policy will be applied.


(config.rbac.v2.RBAC) Shadow rules are not enforced by the filter but will emit stats and logs and can be used for rule testing. If absent, no shadow RBAC policy will be applied.


(string, REQUIRED) The prefix to use when emitting statistics.


(config.filter.network.rbac.v2.RBAC.EnforcementType) RBAC enforcement strategy. By default RBAC will be enforced only once when the first byte of data arrives from the downstream. When used in conjunction with filters that emit dynamic metadata after decoding every payload (e.g., Mongo, MySQL, Kafka) set the enforcement type to CONTINUOUS to enforce RBAC policies on every message boundary.

Enum config.filter.network.rbac.v2.RBAC.EnforcementType

[config.filter.network.rbac.v2.RBAC.EnforcementType proto]


(DEFAULT) ⁣Apply RBAC policies when the first byte of data arrives on the connection.


⁣Continuously apply RBAC policies as data arrives. Use this mode when using RBAC with message oriented protocols such as Mongo, MySQL, Kafka, etc. when the protocol decoders emit dynamic metadata such as the resources being accessed and the operations on the resources.