Role Based Access Control (RBAC) Network Filter

    When a request is denied, the CONNECTION_TERMINATION_DETAILS will include the name of the matched policy that caused the deny in the format of (policy_name will be none if no policy matched), this helps to distinguish the deny from Envoy RBAC filter and the upstream backend.

    The RBAC network filter outputs statistics in the <stat_prefix>.rbac. namespace.

    For the shadow rule statistics and shadow_denied, the can be used to add an extra prefix to output the statistics in the <stat_prefix>.rbac.<shadow_rules_stat_prefix>. namespace.

    Dynamic Metadata

    The RBAC filter emits the following dynamic metadata.

    For the shadow rules dynamic metadata and shadow_engine_result, the can be used to add an extra prefix to the corresponding dynamic metadata key.

    Name

    Type

    Description

    shadow_effective_policy_id

    string

    The effective shadow policy ID matching the action (if any).

    shadow_engine_result

    string

    The engine result for the shadow rules (i.e. either or denied).

    access_log_hint

    Whether the request should be logged. This metadata is shared and set under the key namespace ‘envoy.common’ (See Shared Dynamic Metadata).