Skip to content

Instantly share code, notes, and snippets.

@cameronmoreau
Created October 31, 2018 19:25
Show Gist options
  • Save cameronmoreau/b533cb8e0475933e71df0dd26beef8ae to your computer and use it in GitHub Desktop.
Save cameronmoreau/b533cb8e0475933e71df0dd26beef8ae to your computer and use it in GitHub Desktop.
This is a subset of the final envoy config for RBAC policies, showing some comparative (AND/OR) logic
admin:
access_log_path: /tmp/admin_access.log
address:
socket_address:
protocol: TCP
address: 127.0.0.1
port_value: 9901
static_resources:
listeners:
- name: listener_0
address:
socket_address:
protocol: TCP
address: 0.0.0.0
port_value: 10000
filter_chains:
- filters:
- name: envoy.http_connection_manager
config:
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains: ["*"]
routes:
- match:
prefix: "/"
route:
host_rewrite: www.google.com
cluster: service_google
http_filters:
- name: envoy.filters.http.jwt_authn
config:
providers:
provider1:
issuer: [email protected]
local_jwks:
inline_string: '{ "keys":[ {"e":"AQAB","kid":"DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ","kty":"RSA","n":"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX-P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2He95lZdHtOcU5DXIg_pbhLdKXbi66GlVeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw-4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSGZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZPYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3DRrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ"}]}'
- name: envoy.filters.http.rbac
config:
rules:
policies:
productpage-viewer:
permissions:
- and_rules:
rules:
- or_rules:
rules:
- header:
name: ":method"
exact_match: GET
principals:
- and_ids:
ids:
- header:
name: "hello"
exact_match: "world"
- header:
name: "goodbye"
exact_match: "world"
# - metadata:
# filter: envoy.filters.http.rbac
# value:
# string_match:
# exact: bar
# path:
# # - key: request.auth.claims
# - key: foo
# - and_ids:
# ids:
# - metadata:
# filter: istio_authn
# value:
# list_match:
# one_of:
# string_match:
# exact: openid
# path:
# - key: request.auth.claims
# - key: scope
# - and_ids:
# ids:
# - metadata:
# value:
# list_match:
# one_of:
# string_match:
# exact: foo.bar
# path:
# - key: request.auth.claims
# - key: scope
# filter: istio_authn
# local_jwks:
# inline_string: '{ "keys":[ {"e":"AQAB","kid":"DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ","kty":"RSA","n":"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX-P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2He95lZdHtOcU5DXIg_pbhLdKXbi66GlVeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw-4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSGZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZPYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3DRrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ"}]}'
# - name: jwt-auth
# config:
# rules:
# - local_jwks:
# inline_string:
# forward_payload_header: istio-sec-5406b7840708063f65cbdf52153ca364a476d68b
# forward: true
# issuer: [email protected]
# allow_missing_or_failed: true
- name: envoy.router
clusters:
- name: service_google
connect_timeout: 0.25s
type: LOGICAL_DNS
# Comment out the following line to test on v6 networks
dns_lookup_family: V4_ONLY
lb_policy: ROUND_ROBIN
hosts:
- socket_address:
address: google.com
port_value: 443
tls_context: { sni: www.google.com }
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment