So that this documentation is more appropriated named.
1.1 KiB
xDS Server
The xDS Server is a gRPC service that implements xDS and handles requests from an envoy proxy.
Authorization
Requests to the xDS server are authorized based on an assumption of how
proxycfg.ConfigSnapshot
are constructed. Most interfaces (HTTP, DNS, RPC)
authorize requests by authorizing the data in the response, or by filtering
out data that the requester is not authorized to view. The xDS server authorizes
requests by looking at the proxy ID in the request and ensuring the ACL token has
service:write
access to either the destination service (for kind=ConnectProxy), or
the gateway service (for other kinds).
This authorization strategy requires that agent/proxycfg only fetches data using a token with the same permissions, and that it only stores data by proxy ID. We assume that any data in the snapshot was already filtered, which allows this authorization to only perform a shallow check against the proxy ID.