Network External Authorization

This documentation is for the Envoy v3 API.

As of Envoy v1.18 the v2 API has been removed and is no longer supported.

If you are upgrading from v2 API config you may wish to view the v2 API documentation:

This extension may be referenced by the qualified name envoy.filters.network.ext_authz

Note

This extension is intended to be robust against untrusted downstream traffic. It assumes that the upstream is trusted.

Tip

This extension extends and can be used with the following extension category:

The network layer external authorization service configuration configuration overview.

extensions.filters.network.ext_authz.v3.ExtAuthz

[extensions.filters.network.ext_authz.v3.ExtAuthz proto]

External Authorization filter calls out to an external service over the gRPC Authorization API defined by CheckRequest. A failed check will cause this filter to close the TCP connection.

{
  "stat_prefix": "...",
  "grpc_service": "{...}",
  "failure_mode_allow": "...",
  "include_peer_certificate": "...",
  "transport_api_version": "...",
  "filter_enabled_metadata": "{...}",
  "bootstrap_metadata_labels_key": "..."
}
stat_prefix

(string, REQUIRED) The prefix to use when emitting statistics.

grpc_service

(config.core.v3.GrpcService) The external authorization gRPC service configuration. The default timeout is set to 200ms by this filter.

failure_mode_allow

(bool) The filter’s behaviour in case the external authorization service does not respond back. When it is set to true, Envoy will also allow traffic in case of communication failure between authorization service and the proxy. Defaults to false.

include_peer_certificate

(bool) Specifies if the peer certificate is sent to the external service.

When this field is true, Envoy will include the peer X.509 certificate, if available, in the certificate.

transport_api_version

(config.core.v3.ApiVersion) API version for ext_authz transport protocol. This describes the ext_authz gRPC endpoint and version of Check{Request,Response} used on the wire.

filter_enabled_metadata

(type.matcher.v3.MetadataMatcher) Specifies if the filter is enabled with metadata matcher. If this field is not specified, the filter will be enabled for all requests.

bootstrap_metadata_labels_key

(string) Optional labels that will be passed to labels in destination. The labels will be read from metadata with the specified key.