RBAC (proto)

This extension has the qualified name envoy.filters.network.rbac

Note

This extension is intended to be robust against untrusted downstream traffic. It assumes that the upstream is trusted.

Tip

This extension extends and can be used with the following extension category:

This extension must be configured with one of the following type URLs:

Role-Based Access Control configuration overview.

extensions.filters.network.rbac.v3.RBAC

[extensions.filters.network.rbac.v3.RBAC proto]

RBAC network filter config.

Header should not be used in rules/shadow_rules in RBAC network filter as this information is only available in RBAC http filter.

{
  "rules": {...},
  "matcher": {...},
  "shadow_rules": {...},
  "shadow_matcher": {...},
  "shadow_rules_stat_prefix": ...,
  "stat_prefix": ...,
  "enforcement_type": ...
}
rules

(config.rbac.v3.RBAC) Specify the RBAC rules to be applied globally. If absent, no enforcing RBAC policy will be applied. If present and empty, DENY. If both rules and matcher are configured, rules will be ignored.

matcher

(.xds.type.matcher.v3.Matcher) The match tree to use when resolving RBAC action for incoming connections. Connections do not match any matcher will be denied. If absent, no enforcing RBAC matcher will be applied. If present and empty, deny all connections.

Warning

This API feature is currently work-in-progress. API features marked as work-in-progress are not considered stable, are not covered by the threat model, are not supported by the security team, and are subject to breaking changes. Do not use this feature without understanding each of the previous points.

shadow_rules

(config.rbac.v3.RBAC) Shadow rules are not enforced by the filter but will emit stats and logs and can be used for rule testing. If absent, no shadow RBAC policy will be applied. If both shadow rules and shadow matcher are configured, shadow rules will be ignored.

shadow_matcher

(.xds.type.matcher.v3.Matcher) The match tree to use for emitting stats and logs which can be used for rule testing for incoming connections. If absent, no shadow matcher will be applied.

Warning

This API feature is currently work-in-progress. API features marked as work-in-progress are not considered stable, are not covered by the threat model, are not supported by the security team, and are subject to breaking changes. Do not use this feature without understanding each of the previous points.

shadow_rules_stat_prefix

(string) If specified, shadow rules will emit stats with the given prefix. This is useful to distinguish the stat when there are more than 1 RBAC filter configured with shadow rules.

stat_prefix

(string, REQUIRED) The prefix to use when emitting statistics.

enforcement_type

(extensions.filters.network.rbac.v3.RBAC.EnforcementType) RBAC enforcement strategy. By default RBAC will be enforced only once when the first byte of data arrives from the downstream. When used in conjunction with filters that emit dynamic metadata after decoding every payload (e.g., Mongo, MySQL, Kafka) set the enforcement type to CONTINUOUS to enforce RBAC policies on every message boundary.

Enum extensions.filters.network.rbac.v3.RBAC.EnforcementType

[extensions.filters.network.rbac.v3.RBAC.EnforcementType proto]

ONE_TIME_ON_FIRST_BYTE

(DEFAULT) ⁣Apply RBAC policies when the first byte of data arrives on the connection.

CONTINUOUS

⁣Continuously apply RBAC policies as data arrives. Use this mode when using RBAC with message oriented protocols such as Mongo, MySQL, Kafka, etc. when the protocol decoders emit dynamic metadata such as the resources being accessed and the operations on the resources.