xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) (#10619)

This commit is contained in:
R.B. Boyer 2021-07-15 10:09:00 -05:00 committed by GitHub
parent 6bf7c98227
commit e018d8a10b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
35 changed files with 1493 additions and 4 deletions

3
.changelog/10619.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:security
xds: ensure single L7 deny intention with default deny policy does not result in allow action [CVE-2021-36213](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36213)
```

View File

@ -110,13 +110,34 @@ func removeIntentionPrecedence(rbacIxns []*rbacIntention, intentionDefaultAction
// between any two intentions. // between any two intentions.
rbacIxns = removeSourcePrecedence(rbacIxns, intentionDefaultAction) rbacIxns = removeSourcePrecedence(rbacIxns, intentionDefaultAction)
numRetained := 0
for _, rbacIxn := range rbacIxns { for _, rbacIxn := range rbacIxns {
// Remove permission precedence. After this completes precedence // Remove permission precedence. After this completes precedence
// doesn't matter between any two permissions on this intention. // doesn't matter between any two permissions on this intention.
rbacIxn.Permissions = removePermissionPrecedence(rbacIxn.Permissions, intentionDefaultAction) rbacIxn.Permissions = removePermissionPrecedence(rbacIxn.Permissions, intentionDefaultAction)
if rbacIxn.Action == intentionActionLayer7 && len(rbacIxn.Permissions) == 0 {
// All of the permissions must have had the default action type and
// were removed. Mark this for removal below.
rbacIxn.Skip = true
} else {
numRetained++
}
} }
return rbacIxns if numRetained == len(rbacIxns) {
return rbacIxns
}
// We previously used the absence of permissions (above) as a signal to
// mark the entire intention for removal. Now do the deletions.
out := make([]*rbacIntention, 0, numRetained)
for _, rixn := range rbacIxns {
if !rixn.Skip {
out = append(out, rixn)
}
}
return out
} }
func removePermissionPrecedence(perms []*rbacPermission, intentionDefaultAction intentionAction) []*rbacPermission { func removePermissionPrecedence(perms []*rbacPermission, intentionDefaultAction intentionAction) []*rbacPermission {
@ -401,10 +422,14 @@ func makeRBACRules(intentions structs.Intentions, intentionDefaultAllow bool, is
var principalsL4 []*envoy_rbac_v3.Principal var principalsL4 []*envoy_rbac_v3.Principal
for i, rbacIxn := range rbacIxns { for i, rbacIxn := range rbacIxns {
if len(rbacIxn.Permissions) > 0 { if rbacIxn.Action == intentionActionLayer7 {
if len(rbacIxn.Permissions) == 0 {
panic("invalid state: L7 intention has no permissions")
}
if !isHTTP { if !isHTTP {
panic("invalid state: L7 permissions present for TCP service") panic("invalid state: L7 permissions present for TCP service")
} }
// For L7: we should generate one Policy per Principal and list all of the Permissions // For L7: we should generate one Policy per Principal and list all of the Permissions
policy := &envoy_rbac_v3.Policy{ policy := &envoy_rbac_v3.Policy{
Principals: []*envoy_rbac_v3.Principal{rbacIxn.ComputedPrincipal}, Principals: []*envoy_rbac_v3.Principal{rbacIxn.ComputedPrincipal},

View File

@ -6,12 +6,381 @@ import (
"sort" "sort"
"testing" "testing"
envoy_rbac_v3 "github.com/envoyproxy/go-control-plane/envoy/config/rbac/v3"
envoy_matcher_v3 "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
"github.com/hashicorp/consul/agent/structs" "github.com/hashicorp/consul/agent/structs"
) )
func TestRemoveIntentionPrecedence(t *testing.T) {
testIntention := func(t *testing.T, src, dst string, action structs.IntentionAction) *structs.Intention {
t.Helper()
ixn := structs.TestIntention(t)
ixn.SourceName = src
ixn.DestinationName = dst
ixn.Action = action
//nolint:staticcheck
ixn.UpdatePrecedence()
return ixn
}
testSourceIntention := func(src string, action structs.IntentionAction) *structs.Intention {
return testIntention(t, src, "api", action)
}
testSourcePermIntention := func(src string, perms ...*structs.IntentionPermission) *structs.Intention {
ixn := testIntention(t, src, "api", "")
ixn.Permissions = perms
return ixn
}
sorted := func(ixns ...*structs.Intention) structs.Intentions {
sort.SliceStable(ixns, func(i, j int) bool {
return ixns[j].Precedence < ixns[i].Precedence
})
return structs.Intentions(ixns)
}
var (
nameWild = structs.NewServiceName("*", nil)
nameWeb = structs.NewServiceName("web", nil)
permSlashPrefix = &structs.IntentionPermission{
Action: structs.IntentionActionAllow,
HTTP: &structs.IntentionHTTPPermission{
PathPrefix: "/",
},
}
permDenySlashPrefix = &structs.IntentionPermission{
Action: structs.IntentionActionDeny,
HTTP: &structs.IntentionHTTPPermission{
PathPrefix: "/",
},
}
xdsPermSlashPrefix = &envoy_rbac_v3.Permission{
Rule: &envoy_rbac_v3.Permission_UrlPath{
UrlPath: &envoy_matcher_v3.PathMatcher{
Rule: &envoy_matcher_v3.PathMatcher_Path{
Path: &envoy_matcher_v3.StringMatcher{
MatchPattern: &envoy_matcher_v3.StringMatcher_Prefix{
Prefix: "/",
},
},
},
},
},
}
)
// NOTE: these default=(allow|deny) wild=(allow|deny) path=(allow|deny)
// tests below are meant to verify some of the behaviors work as expected
// when the default acl mode changes for the system
tests := map[string]struct {
intentionDefaultAllow bool
http bool
intentions structs.Intentions
expect []*rbacIntention
}{
"default-allow-path-allow": {
intentionDefaultAllow: true,
http: true,
intentions: sorted(
testSourcePermIntention("web", permSlashPrefix),
),
expect: []*rbacIntention{}, // EMPTY, just use the defaults
},
"default-deny-path-allow": {
intentionDefaultAllow: false,
http: true,
intentions: sorted(
testSourcePermIntention("web", permSlashPrefix),
),
expect: []*rbacIntention{
{
Source: nameWeb,
Action: intentionActionLayer7,
Permissions: []*rbacPermission{
{
Definition: permSlashPrefix,
Action: intentionActionAllow,
Perm: xdsPermSlashPrefix,
NotPerms: nil,
Skip: false,
ComputedPermission: xdsPermSlashPrefix,
},
},
Precedence: 9,
Skip: false,
ComputedPrincipal: idPrincipal(nameWeb),
},
},
},
"default-allow-path-deny": {
intentionDefaultAllow: true,
http: true,
intentions: sorted(
testSourcePermIntention("web", permDenySlashPrefix),
),
expect: []*rbacIntention{
{
Source: nameWeb,
Action: intentionActionLayer7,
Permissions: []*rbacPermission{
{
Definition: permDenySlashPrefix,
Action: intentionActionDeny,
Perm: xdsPermSlashPrefix,
NotPerms: nil,
Skip: false,
ComputedPermission: xdsPermSlashPrefix,
},
},
Precedence: 9,
Skip: false,
ComputedPrincipal: idPrincipal(nameWeb),
},
},
},
"default-deny-path-deny": {
intentionDefaultAllow: false,
http: true,
intentions: sorted(
testSourcePermIntention("web", permDenySlashPrefix),
),
expect: []*rbacIntention{},
},
// ========================
"default-allow-deny-all-and-path-allow": {
intentionDefaultAllow: true,
http: true,
intentions: sorted(
testSourcePermIntention("web", permSlashPrefix),
testSourceIntention("*", structs.IntentionActionDeny),
),
expect: []*rbacIntention{
{
Source: nameWild,
NotSources: []structs.ServiceName{
nameWeb,
},
Action: intentionActionDeny,
Permissions: nil,
Precedence: 8,
Skip: false,
ComputedPrincipal: andPrincipals(
[]*envoy_rbac_v3.Principal{
idPrincipal(nameWild),
notPrincipal(
idPrincipal(nameWeb),
),
},
),
},
},
},
"default-deny-deny-all-and-path-allow": {
intentionDefaultAllow: false,
http: true,
intentions: sorted(
testSourcePermIntention("web", permSlashPrefix),
testSourceIntention("*", structs.IntentionActionDeny),
),
expect: []*rbacIntention{
{
Source: nameWeb,
Action: intentionActionLayer7,
Permissions: []*rbacPermission{
{
Definition: permSlashPrefix,
Action: intentionActionAllow,
Perm: xdsPermSlashPrefix,
NotPerms: nil,
Skip: false,
ComputedPermission: xdsPermSlashPrefix,
},
},
Precedence: 9,
Skip: false,
ComputedPrincipal: idPrincipal(nameWeb),
},
},
},
"default-allow-deny-all-and-path-deny": {
intentionDefaultAllow: true,
http: true,
intentions: sorted(
testSourcePermIntention("web", permDenySlashPrefix),
testSourceIntention("*", structs.IntentionActionDeny),
),
expect: []*rbacIntention{
{
Source: nameWeb,
Action: intentionActionLayer7,
Permissions: []*rbacPermission{
{
Definition: permDenySlashPrefix,
Action: intentionActionDeny,
Perm: xdsPermSlashPrefix,
NotPerms: nil,
Skip: false,
ComputedPermission: xdsPermSlashPrefix,
},
},
Precedence: 9,
Skip: false,
ComputedPrincipal: idPrincipal(nameWeb),
},
{
Source: nameWild,
NotSources: []structs.ServiceName{
nameWeb,
},
Action: intentionActionDeny,
Permissions: nil,
Precedence: 8,
Skip: false,
ComputedPrincipal: andPrincipals(
[]*envoy_rbac_v3.Principal{
idPrincipal(nameWild),
notPrincipal(
idPrincipal(nameWeb),
),
},
),
},
},
},
"default-deny-deny-all-and-path-deny": {
intentionDefaultAllow: false,
http: true,
intentions: sorted(
testSourcePermIntention("web", permDenySlashPrefix),
testSourceIntention("*", structs.IntentionActionDeny),
),
expect: []*rbacIntention{},
},
// ========================
"default-allow-allow-all-and-path-allow": {
intentionDefaultAllow: true,
http: true,
intentions: sorted(
testSourcePermIntention("web", permSlashPrefix),
testSourceIntention("*", structs.IntentionActionAllow),
),
expect: []*rbacIntention{},
},
"default-deny-allow-all-and-path-allow": {
intentionDefaultAllow: false,
http: true,
intentions: sorted(
testSourcePermIntention("web", permSlashPrefix),
testSourceIntention("*", structs.IntentionActionAllow),
),
expect: []*rbacIntention{
{
Source: nameWeb,
Action: intentionActionLayer7,
Permissions: []*rbacPermission{
{
Definition: permSlashPrefix,
Action: intentionActionAllow,
Perm: xdsPermSlashPrefix,
NotPerms: nil,
Skip: false,
ComputedPermission: xdsPermSlashPrefix,
},
},
Precedence: 9,
Skip: false,
ComputedPrincipal: idPrincipal(nameWeb),
},
{
Source: nameWild,
NotSources: []structs.ServiceName{
nameWeb,
},
Action: intentionActionAllow,
Permissions: nil,
Precedence: 8,
Skip: false,
ComputedPrincipal: andPrincipals(
[]*envoy_rbac_v3.Principal{
idPrincipal(nameWild),
notPrincipal(
idPrincipal(nameWeb),
),
},
),
},
},
},
"default-allow-allow-all-and-path-deny": {
intentionDefaultAllow: true,
http: true,
intentions: sorted(
testSourcePermIntention("web", permDenySlashPrefix),
testSourceIntention("*", structs.IntentionActionAllow),
),
expect: []*rbacIntention{
{
Source: nameWeb,
Action: intentionActionLayer7,
Permissions: []*rbacPermission{
{
Definition: permDenySlashPrefix,
Action: intentionActionDeny,
Perm: xdsPermSlashPrefix,
NotPerms: nil,
Skip: false,
ComputedPermission: xdsPermSlashPrefix,
},
},
Precedence: 9,
Skip: false,
ComputedPrincipal: idPrincipal(nameWeb),
},
},
},
"default-deny-allow-all-and-path-deny": {
intentionDefaultAllow: false,
http: true,
intentions: sorted(
testSourcePermIntention("web", permDenySlashPrefix),
testSourceIntention("*", structs.IntentionActionAllow),
),
expect: []*rbacIntention{
{
Source: nameWild,
NotSources: []structs.ServiceName{
nameWeb,
},
Action: intentionActionAllow,
Permissions: nil,
Precedence: 8,
Skip: false,
ComputedPrincipal: andPrincipals(
[]*envoy_rbac_v3.Principal{
idPrincipal(nameWild),
notPrincipal(
idPrincipal(nameWeb),
),
},
),
},
},
},
}
for name, tt := range tests {
t.Run(name, func(t *testing.T) {
rbacIxns := intentionListToIntermediateRBACForm(tt.intentions, tt.http)
intentionDefaultAction := intentionActionFromBool(tt.intentionDefaultAllow)
rbacIxns = removeIntentionPrecedence(rbacIxns, intentionDefaultAction)
require.Equal(t, tt.expect, rbacIxns)
})
}
}
func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) { func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) {
testIntention := func(t *testing.T, src, dst string, action structs.IntentionAction) *structs.Intention { testIntention := func(t *testing.T, src, dst string, action structs.IntentionAction) *structs.Intention {
t.Helper() t.Helper()
@ -38,6 +407,21 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) {
return structs.Intentions(ixns) return structs.Intentions(ixns)
} }
var (
permSlashPrefix = &structs.IntentionPermission{
Action: structs.IntentionActionAllow,
HTTP: &structs.IntentionHTTPPermission{
PathPrefix: "/",
},
}
permDenySlashPrefix = &structs.IntentionPermission{
Action: structs.IntentionActionDeny,
HTTP: &structs.IntentionHTTPPermission{
PathPrefix: "/",
},
}
)
tests := map[string]struct { tests := map[string]struct {
intentionDefaultAllow bool intentionDefaultAllow bool
intentions structs.Intentions intentions structs.Intentions
@ -88,7 +472,6 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) {
testSourceIntention("web", structs.IntentionActionAllow), testSourceIntention("web", structs.IntentionActionAllow),
testSourceIntention("unsafe", structs.IntentionActionDeny), testSourceIntention("unsafe", structs.IntentionActionDeny),
testSourceIntention("cron", structs.IntentionActionAllow), testSourceIntention("cron", structs.IntentionActionAllow),
// and we invert the default-ness of the whole thing
testSourceIntention("*", structs.IntentionActionAllow), testSourceIntention("*", structs.IntentionActionAllow),
), ),
}, },
@ -99,10 +482,92 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) {
testSourceIntention("web", structs.IntentionActionDeny), testSourceIntention("web", structs.IntentionActionDeny),
testSourceIntention("unsafe", structs.IntentionActionAllow), testSourceIntention("unsafe", structs.IntentionActionAllow),
testSourceIntention("cron", structs.IntentionActionDeny), testSourceIntention("cron", structs.IntentionActionDeny),
// and we invert the default-ness of the whole thing
testSourceIntention("*", structs.IntentionActionDeny), testSourceIntention("*", structs.IntentionActionDeny),
), ),
}, },
// ========================
"default-allow-path-allow": {
intentionDefaultAllow: true,
intentions: sorted(
testSourcePermIntention("web", permSlashPrefix),
),
},
"default-deny-path-allow": {
intentionDefaultAllow: false,
intentions: sorted(
testSourcePermIntention("web", permSlashPrefix),
),
},
"default-allow-path-deny": {
intentionDefaultAllow: true,
intentions: sorted(
testSourcePermIntention("web", permDenySlashPrefix),
),
},
"default-deny-path-deny": {
intentionDefaultAllow: false,
intentions: sorted(
testSourcePermIntention("web", permDenySlashPrefix),
),
},
// ========================
"default-allow-deny-all-and-path-allow": {
intentionDefaultAllow: true,
intentions: sorted(
testSourcePermIntention("web",
&structs.IntentionPermission{
Action: structs.IntentionActionAllow,
HTTP: &structs.IntentionHTTPPermission{
PathPrefix: "/",
},
},
),
testSourceIntention("*", structs.IntentionActionDeny),
),
},
"default-deny-deny-all-and-path-allow": {
intentionDefaultAllow: false,
intentions: sorted(
testSourcePermIntention("web",
&structs.IntentionPermission{
Action: structs.IntentionActionAllow,
HTTP: &structs.IntentionHTTPPermission{
PathPrefix: "/",
},
},
),
testSourceIntention("*", structs.IntentionActionDeny),
),
},
"default-allow-deny-all-and-path-deny": {
intentionDefaultAllow: true,
intentions: sorted(
testSourcePermIntention("web",
&structs.IntentionPermission{
Action: structs.IntentionActionDeny,
HTTP: &structs.IntentionHTTPPermission{
PathPrefix: "/",
},
},
),
testSourceIntention("*", structs.IntentionActionDeny),
),
},
"default-deny-deny-all-and-path-deny": {
intentionDefaultAllow: false,
intentions: sorted(
testSourcePermIntention("web",
&structs.IntentionPermission{
Action: structs.IntentionActionDeny,
HTTP: &structs.IntentionHTTPPermission{
PathPrefix: "/",
},
},
),
testSourceIntention("*", structs.IntentionActionDeny),
),
},
// ========================
"default-deny-two-path-deny-and-path-allow": { "default-deny-two-path-deny-and-path-allow": {
intentionDefaultAllow: false, intentionDefaultAllow: false,
intentions: sorted( intentions: sorted(

View File

@ -0,0 +1,52 @@
{
"name": "envoy.filters.http.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC",
"rules": {
"action": "DENY",
"policies": {
"consul-intentions-layer4": {
"permissions": [
{
"any": true
}
],
"principals": [
{
"andIds": {
"ids": [
{
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
}
},
{
"notId": {
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
}
}
}
}
}
]
}
}
]
}
}
}
}
}

View File

@ -0,0 +1,52 @@
{
"name": "envoy.filters.http.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.config.filter.http.rbac.v2.RBAC",
"rules": {
"action": "DENY",
"policies": {
"consul-intentions-layer4": {
"permissions": [
{
"any": true
}
],
"principals": [
{
"andIds": {
"ids": [
{
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
}
},
{
"notId": {
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
}
}
}
}
}
]
}
}
]
}
}
}
}
}

View File

@ -0,0 +1,65 @@
{
"name": "envoy.filters.network.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
"rules": {
"action": "DENY",
"policies": {
"consul-intentions-layer4": {
"permissions": [
{
"any": true
}
],
"principals": [
{
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
}
}
}
},
{
"andIds": {
"ids": [
{
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
}
},
{
"notId": {
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
}
}
}
}
}
]
}
}
]
}
}
},
"statPrefix": "connect_authz"
}
}

View File

@ -0,0 +1,65 @@
{
"name": "envoy.filters.network.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.config.filter.network.rbac.v2.RBAC",
"rules": {
"action": "DENY",
"policies": {
"consul-intentions-layer4": {
"permissions": [
{
"any": true
}
],
"principals": [
{
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
}
}
}
},
{
"andIds": {
"ids": [
{
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
}
},
{
"notId": {
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
}
}
}
}
}
]
}
}
]
}
}
},
"statPrefix": "connect_authz"
}
}

View File

@ -0,0 +1,77 @@
{
"name": "envoy.filters.http.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC",
"rules": {
"action": "DENY",
"policies": {
"consul-intentions-layer4": {
"permissions": [
{
"any": true
}
],
"principals": [
{
"andIds": {
"ids": [
{
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
}
},
{
"notId": {
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
}
}
}
}
}
]
}
}
]
},
"consul-intentions-layer7-0": {
"permissions": [
{
"urlPath": {
"path": {
"prefix": "/"
}
}
}
],
"principals": [
{
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
}
}
}
}
]
}
}
}
}
}

View File

@ -0,0 +1,77 @@
{
"name": "envoy.filters.http.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.config.filter.http.rbac.v2.RBAC",
"rules": {
"action": "DENY",
"policies": {
"consul-intentions-layer4": {
"permissions": [
{
"any": true
}
],
"principals": [
{
"andIds": {
"ids": [
{
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
}
},
{
"notId": {
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
}
}
}
}
}
]
}
}
]
},
"consul-intentions-layer7-0": {
"permissions": [
{
"urlPath": {
"path": {
"prefix": "/"
}
}
}
],
"principals": [
{
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
}
}
}
}
]
}
}
}
}
}

View File

@ -0,0 +1,65 @@
{
"name": "envoy.filters.network.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
"rules": {
"action": "DENY",
"policies": {
"consul-intentions-layer4": {
"permissions": [
{
"any": true
}
],
"principals": [
{
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
}
}
}
},
{
"andIds": {
"ids": [
{
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
}
},
{
"notId": {
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
}
}
}
}
}
]
}
}
]
}
}
},
"statPrefix": "connect_authz"
}
}

View File

@ -0,0 +1,65 @@
{
"name": "envoy.filters.network.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.config.filter.network.rbac.v2.RBAC",
"rules": {
"action": "DENY",
"policies": {
"consul-intentions-layer4": {
"permissions": [
{
"any": true
}
],
"principals": [
{
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
}
}
}
},
{
"andIds": {
"ids": [
{
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
}
},
{
"notId": {
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
}
}
}
}
}
]
}
}
]
}
}
},
"statPrefix": "connect_authz"
}
}

View File

@ -0,0 +1,9 @@
{
"name": "envoy.filters.http.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC",
"rules": {
"action": "DENY"
}
}
}

View File

@ -0,0 +1,9 @@
{
"name": "envoy.filters.http.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.config.filter.http.rbac.v2.RBAC",
"rules": {
"action": "DENY"
}
}
}

View File

@ -0,0 +1,33 @@
{
"name": "envoy.filters.network.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
"rules": {
"action": "DENY",
"policies": {
"consul-intentions-layer4": {
"permissions": [
{
"any": true
}
],
"principals": [
{
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
}
}
}
}
]
}
}
},
"statPrefix": "connect_authz"
}
}

View File

@ -0,0 +1,33 @@
{
"name": "envoy.filters.network.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.config.filter.network.rbac.v2.RBAC",
"rules": {
"action": "DENY",
"policies": {
"consul-intentions-layer4": {
"permissions": [
{
"any": true
}
],
"principals": [
{
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
}
}
}
}
]
}
}
},
"statPrefix": "connect_authz"
}
}

View File

@ -0,0 +1,36 @@
{
"name": "envoy.filters.http.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC",
"rules": {
"action": "DENY",
"policies": {
"consul-intentions-layer7-0": {
"permissions": [
{
"urlPath": {
"path": {
"prefix": "/"
}
}
}
],
"principals": [
{
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
}
}
}
}
]
}
}
}
}
}

View File

@ -0,0 +1,36 @@
{
"name": "envoy.filters.http.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.config.filter.http.rbac.v2.RBAC",
"rules": {
"action": "DENY",
"policies": {
"consul-intentions-layer7-0": {
"permissions": [
{
"urlPath": {
"path": {
"prefix": "/"
}
}
}
],
"principals": [
{
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
}
}
}
}
]
}
}
}
}
}

View File

@ -0,0 +1,33 @@
{
"name": "envoy.filters.network.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
"rules": {
"action": "DENY",
"policies": {
"consul-intentions-layer4": {
"permissions": [
{
"any": true
}
],
"principals": [
{
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
}
}
}
}
]
}
}
},
"statPrefix": "connect_authz"
}
}

View File

@ -0,0 +1,33 @@
{
"name": "envoy.filters.network.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.config.filter.network.rbac.v2.RBAC",
"rules": {
"action": "DENY",
"policies": {
"consul-intentions-layer4": {
"permissions": [
{
"any": true
}
],
"principals": [
{
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
}
}
}
}
]
}
}
},
"statPrefix": "connect_authz"
}
}

View File

@ -0,0 +1,35 @@
{
"name": "envoy.filters.http.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC",
"rules": {
"policies": {
"consul-intentions-layer7-0": {
"permissions": [
{
"urlPath": {
"path": {
"prefix": "/"
}
}
}
],
"principals": [
{
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
}
}
}
}
]
}
}
}
}
}

View File

@ -0,0 +1,35 @@
{
"name": "envoy.filters.http.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.config.filter.http.rbac.v2.RBAC",
"rules": {
"policies": {
"consul-intentions-layer7-0": {
"permissions": [
{
"urlPath": {
"path": {
"prefix": "/"
}
}
}
],
"principals": [
{
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
}
}
}
}
]
}
}
}
}
}

View File

@ -0,0 +1,10 @@
{
"name": "envoy.filters.network.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
"rules": {
},
"statPrefix": "connect_authz"
}
}

View File

@ -0,0 +1,10 @@
{
"name": "envoy.filters.network.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.config.filter.network.rbac.v2.RBAC",
"rules": {
},
"statPrefix": "connect_authz"
}
}

View File

@ -0,0 +1,9 @@
{
"name": "envoy.filters.http.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC",
"rules": {
}
}
}

View File

@ -0,0 +1,9 @@
{
"name": "envoy.filters.http.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.config.filter.http.rbac.v2.RBAC",
"rules": {
}
}
}

View File

@ -0,0 +1,10 @@
{
"name": "envoy.filters.network.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
"rules": {
},
"statPrefix": "connect_authz"
}
}

View File

@ -0,0 +1,10 @@
{
"name": "envoy.filters.network.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.config.filter.network.rbac.v2.RBAC",
"rules": {
},
"statPrefix": "connect_authz"
}
}

View File

@ -0,0 +1,35 @@
{
"name": "envoy.filters.http.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC",
"rules": {
"policies": {
"consul-intentions-layer7-0": {
"permissions": [
{
"urlPath": {
"path": {
"prefix": "/"
}
}
}
],
"principals": [
{
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
}
}
}
}
]
}
}
}
}
}

View File

@ -0,0 +1,35 @@
{
"name": "envoy.filters.http.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.config.filter.http.rbac.v2.RBAC",
"rules": {
"policies": {
"consul-intentions-layer7-0": {
"permissions": [
{
"urlPath": {
"path": {
"prefix": "/"
}
}
}
],
"principals": [
{
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
}
}
}
}
]
}
}
}
}
}

View File

@ -0,0 +1,10 @@
{
"name": "envoy.filters.network.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
"rules": {
},
"statPrefix": "connect_authz"
}
}

View File

@ -0,0 +1,10 @@
{
"name": "envoy.filters.network.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.config.filter.network.rbac.v2.RBAC",
"rules": {
},
"statPrefix": "connect_authz"
}
}

View File

@ -0,0 +1,9 @@
{
"name": "envoy.filters.http.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC",
"rules": {
}
}
}

View File

@ -0,0 +1,9 @@
{
"name": "envoy.filters.http.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.config.filter.http.rbac.v2.RBAC",
"rules": {
}
}
}

View File

@ -0,0 +1,10 @@
{
"name": "envoy.filters.network.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
"rules": {
},
"statPrefix": "connect_authz"
}
}

View File

@ -0,0 +1,10 @@
{
"name": "envoy.filters.network.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.config.filter.network.rbac.v2.RBAC",
"rules": {
},
"statPrefix": "connect_authz"
}
}