Role Based Access Control (RBAC) - HTTP

Requirements

Sandbox environment

Setup your sandbox environment with Docker and Docker Compose, and clone the Envoy repository with Git.

curl

Used to make HTTP requests.

RBAC is used to check if the incoming request is authorized or not.

Envoy supports 2 types for RBAC:

• L4 connections via the Role Based Access Control (RBAC) Network Filter

• HTTP requests via the Role Based Access Control (RBAC) Filter

This sandbox provides an example of RBAC of HTTP requests.

In the example, requests should only be allowed if its Referer header matches the regex pattern https?://(www.)?envoyproxy.io/docs/envoy.*.

Step 1: Start all of our containers

Change to the examples/rbac directory and bring up the docker composition.

$ pwd
envoy/examples/rbac
$ docker compose pull
$ docker compose up --build -d
$ docker compose ps

Name             Command                          State   Ports
------------------------------------------------------------------------------------------------------------
rbac_backend_1   gunicorn -b 0.0.0.0:80 htt ...   Up      0.0.0.0:8080->80/tcp
rbac_envoy_1     /docker-entrypoint.sh /usr ...   Up      0.0.0.0:10000->10000/tcp, 0.0.0.0:10001->10001/tcp

Step 2: Denial of upstream service using RBAC

The sandbox is configured to proxy port 10000 to the upstream service.

As the request does not have the required header it is denied, and Envoy refuses the connection with an HTTP 403 return code and with the content RBAC: access denied.

Now, use curl to make a request for the upstream service.

$ curl -si localhost:10000
HTTP/1.1 403 Forbidden
content-length: 19
content-type: text/plain
date: Thu, 28 Jul 2022 06:48:43 GMT
server: envoy

RBAC: access denied

Step 3: Authorization of upstream service using RBAC

Now, we can make another request with proper headers set.

$ curl -si -H "Referer: https://www.envoyproxy.io/docs/envoy" localhost:10000 | grep 200
HTTP/1.1 200 OK

Step 4: Check stats via admin

The sandbox is configured with the 10001 port for Envoy admin.

Checking the admin interface we should now see that the RBAC stats are updated, with one request denied and the other allowed

$ curl -s "http://localhost:10001/stats?filter=rbac"
http.ingress_http.rbac.allowed: 1
http.ingress_http.rbac.denied: 1
http.ingress_http.rbac.shadow_allowed: 0
http.ingress_http.rbac.shadow_denied: 0

See also

Role Based Access Control

Learn more about using Envoy’s RBAC filter.

RBAC Network Filter API

API and configuration reference for Envoy’s RBAC network filter.

RBAC HTTP Filter API

API and configuration reference for Envoy’s RBAC HTTP filter.

Envoy admin quick start guide

Quick start guide to the Envoy admin interface.