Role Based Access Control

• HTTP filter configuration.

The RBAC filter can be either configured as a , or as a HTTP filter or both. If the request is deemed unauthorized by the network filter then the connection will be closed. If the request is deemed unauthorized by the HTTP filter the request will be denied with 403 (Forbidden) response.

The filter can be configured with a that doesn’t have any effect (i.e. not deny the request) but only emit stats and log the result. This is useful for testing a rule before applying in production.

Envoy provides a number of request attributes for expressive policies. Most attributes are optional and provide the default value based on the type of the attribute. CEL supports presence checks for attributes and maps using syntax, e.g. .