RBAC MTls Authenticated Principal (proto)

This extension has the qualified name envoy.rbac.principals.mtls_authenticated

Note

This extension is intended to be robust against both untrusted downstream and upstream traffic.

Tip

This extension extends and can be used with the following extension category:

• envoy.rbac.principals

This extension must be configured with one of the following type URLs:

• type.googleapis.com/envoy.extensions.rbac.principals.mtls_authenticated.v3.Config

extensions.rbac.principals.mtls_authenticated.v3.Config

[extensions.rbac.principals.mtls_authenticated.v3.Config proto]

Authentication attributes for a downstream mTLS connection. All modes require that a peer certificate was presented and validated using the ValidationContext in the DownstreamTlsContext configuration.

If neither field is set, a configuration loading error will be generated. This is so that not validating SANs requires an affirmative configuration to disable, to prevent accidentally not configuring SAN validation.

If any_validated_client_certificate is set in addition to san_matcher or a future field which specifies additional validation, the other field always takes precedence over any_validated_client_certificate and all specified validation is performed.

{
  "san_matcher": {...},
  "any_validated_client_certificate": ...
}

san_matcher

(extensions.transport_sockets.tls.v3.SubjectAltNameMatcher) Specifies a SAN that must be present in the validated peer certificate.

any_validated_client_certificate

(bool) Only require that the peer certificate is present and valid.