Role Based Access Control (RBAC) - HTTP
RBAC is used to check if the incoming request is authorized or not.
Envoy supports 2 types for RBAC:
L4 connections via the Role Based Access Control (RBAC) Network Filter
HTTP requests via the Role Based Access Control (RBAC) Filter
This sandbox provides an example of RBAC of HTTP requests.
In the example, requests should only be allowed if its Referer
header
matches the regex pattern https?://(www.)?envoyproxy.io/docs/envoy.*
.
Step 1: Start all of our containers
Change to the examples/rbac
directory and bring up the docker composition.
$ pwd
envoy/examples/rbac
$ docker-compose pull
$ docker-compose up --build -d
$ docker-compose ps
Name Command State Ports
------------------------------------------------------------------------------------------------------------
rbac_backend_1 gunicorn -b 0.0.0.0:80 htt ... Up 0.0.0.0:8080->80/tcp
rbac_envoy_1 /docker-entrypoint.sh /usr ... Up 0.0.0.0:10000->10000/tcp, 0.0.0.0:10001->10001/tcp
Step 2: Denial of upstream service using RBAC
The sandbox is configured to proxy port 10000
to the upstream service.
As the request does not have the required header it is denied, and Envoy refuses the connection with an HTTP 403 return code and with the content RBAC: access denied
.
Now, use curl
to make a request for the upstream service.
$ curl -si localhost:10000
HTTP/1.1 403 Forbidden
content-length: 19
content-type: text/plain
date: Thu, 28 Jul 2022 06:48:43 GMT
server: envoy
RBAC: access denied
Step 4: Check stats via admin
The sandbox is configured with the 10001
port for Envoy admin.
Checking the admin interface we should now see that the RBAC stats are updated, with one request denied and the other allowed
$ curl -s "http://localhost:10001/stats?filter=rbac"
http.ingress_http.rbac.allowed: 1
http.ingress_http.rbac.denied: 1
http.ingress_http.rbac.shadow_allowed: 0
http.ingress_http.rbac.shadow_denied: 0
See also
- Role Based Access Control
Learn more about using Envoy’s
RBAC
filter.- RBAC Network Filter API
API and configuration reference for Envoy’s
RBAC
network filter.- RBAC HTTP Filter API
API and configuration reference for Envoy’s
RBAC
HTTP filter.
- Envoy admin quick start guide
Quick start guide to the Envoy admin interface.