authz

Documentation

Overview

Package authz converts Istio RBAC (role-based-access-control) policies (ServiceRole and ServiceRoleBinding) to corresponding filter config that is used by the envoy RBAC filter to enforce access control to the service co-located with envoy. Currently the config is only generated for sidecar node on inbound HTTP listener. The generation is controlled by RbacConfig (a singleton custom resource defined in istio-system namespace). User could disable this by either deleting the RbacConfig or set the RbacConfig.mode to OFF. Note: This is still working in progress and by default no RbacConfig is created in the deployment of Istio which means this plugin doesn't generate any RBAC config by default.

Index

• Constants
• func NewPlugin() plugin.Plugin
• type Plugin
  • func (Plugin) OnInboundCluster(env model.Environment, node model.Proxy, service *model.Service, ...)
  • func (Plugin) OnInboundListener(in *plugin.InputParams, mutable *plugin.MutableObjects) error
  • func (Plugin) OnInboundRouteConfiguration(in *plugin.InputParams, route *xdsapi.RouteConfiguration)
  • func (Plugin) OnOutboundCluster(env model.Environment, node model.Proxy, service *model.Service, ...)
  • func (Plugin) OnOutboundListener(in *plugin.InputParams, mutable *plugin.MutableObjects) error
  • func (Plugin) OnOutboundRouteConfiguration(in *plugin.InputParams, route *xdsapi.RouteConfiguration)

Constants

const (
	// RbacFilterName is the name of the RBAC filter in envoy.
	RbacFilterName = "envoy.filters.http.rbac"

	// RbacConfigName is the name of the RbacConfig custom resource that controls the RBAC behavior.
	RbacConfigName = "rbac-config"
)

Functions

func NewPlugin

func NewPlugin() plugin.Plugin

NewPlugin returns an instance of the authz plugin

Types

type Plugin

type Plugin struct{}

Plugin implements Istio RBAC authz

func (Plugin) OnInboundCluster

func (Plugin) OnInboundCluster(env model.Environment, node model.Proxy, service *model.Service,
	servicePort *model.Port, cluster *xdsapi.Cluster)

OnInboundCluster implements the Plugin interface method.

func (Plugin) OnInboundListener

func (Plugin) OnInboundListener(in *plugin.InputParams, mutable *plugin.MutableObjects) error

OnInboundListener is called whenever a new listener is added to the LDS output for a given service Can be used to add additional filters (e.g., mixer filter) or add more stuff to the HTTP connection manager on the inbound path

func (Plugin) OnInboundRouteConfiguration

func (Plugin) OnInboundRouteConfiguration(in *plugin.InputParams, route *xdsapi.RouteConfiguration)

OnInboundRouteConfiguration implements the Plugin interface method.

func (Plugin) OnOutboundCluster

func (Plugin) OnOutboundCluster(env model.Environment, node model.Proxy, service *model.Service,
	servicePort *model.Port, cluster *xdsapi.Cluster)

OnOutboundCluster implements the Plugin interface method.

func (Plugin) OnOutboundListener

func (Plugin) OnOutboundListener(in *plugin.InputParams, mutable *plugin.MutableObjects) error

OnOutboundListener is called whenever a new outbound listener is added to the LDS output for a given service Can be used to add additional filters on the outbound path

func (Plugin) OnOutboundRouteConfiguration

func (Plugin) OnOutboundRouteConfiguration(in *plugin.InputParams, route *xdsapi.RouteConfiguration)

OnOutboundRouteConfiguration implements the Plugin interface method.