35c4efd220
Extend Consul’s intentions model to allow for request-based access control enforcement for HTTP-like protocols in addition to the existing connection-based enforcement for unspecified protocols (e.g. tcp).
31 lines
1.1 KiB
Plaintext
31 lines
1.1 KiB
Plaintext
{
|
|
"name": "envoy.filters.network.rbac",
|
|
"config": {
|
|
"rules": {
|
|
"action": "DENY",
|
|
"policies": {
|
|
"consul-intentions-layer4": {
|
|
"permissions": [
|
|
{
|
|
"any": true
|
|
}
|
|
],
|
|
"principals": [
|
|
{
|
|
"authenticated": {
|
|
"principal_name": {
|
|
"safe_regex": {
|
|
"google_re2": {
|
|
},
|
|
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
]
|
|
}
|
|
}
|
|
},
|
|
"stat_prefix": "connect_authz"
|
|
}
|
|
} |