Role Based Access Control (RBAC) Network Filter

The RBAC network filter is used to authorize actions by identified downstream clients. This is useful to explicitly manage callers to an application and protect it from unexpected or forbidden agents. The filter supports configuration with either a safe-list (ALLOW) or block-list (DENY) set of policies, or a matcher with different actions, based on properties of the connection (IPs, ports, SSL subject). This filter also supports policy in both enforcement and shadow modes. Shadow mode won’t effect real users, it is used to test that a new set of policies work before rolling out to production.

When a request is denied, the CONNECTION_TERMINATION_DETAILS will include the name of the matched policy that caused the deny in the format of rbac_access_denied_matched_policy[policy_name] (policy_name will be none if no policy matched), this helps to distinguish the deny from Envoy RBAC filter and the upstream backend.

  • This filter should be configured with the type URL type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC.

  • v3 API reference

Statistics

The RBAC network filter outputs statistics in the <stat_prefix>.rbac. namespace.

For the shadow rule statistics shadow_allowed and shadow_denied, the shadow_rules_stat_prefix can be used to add an extra prefix to output the statistics in the <stat_prefix>.rbac.<shadow_rules_stat_prefix>. namespace.

Name

Type

Description

allowed

Counter

Total requests that were allowed access

denied

Counter

Total requests that were denied access

shadow_allowed

Counter

Total requests that would be allowed access by the filter’s shadow rules

shadow_denied

Counter

Total requests that would be denied access by the filter’s shadow rules

logged

Counter

Total requests that should be logged

not_logged

Counter

Total requests that should not be logged

Dynamic Metadata

The RBAC filter emits the following dynamic metadata.

For the shadow rules dynamic metadata shadow_effective_policy_id and shadow_engine_result, the shadow_rules_stat_prefix can be used to add an extra prefix to the corresponding dynamic metadata key.

Name

Type

Description

shadow_effective_policy_id

string

The effective shadow policy ID matching the action (if any).

shadow_engine_result

string

The engine result for the shadow rules (i.e. either allowed or denied).

access_log_hint

boolean

Whether the request should be logged. This metadata is shared and set under the key namespace ‘envoy.common’ (See Shared Dynamic Metadata).