Envoy RBAC
Service Mesh Authorization
-
Authorization
-
A service mesh provides the ability to enforce service-to-service and enduser-to-service authorization.
- Using a service mesh for authorization can provide the ability to secure your services, and enforce the principle of least privilege
-
-
There are two authorization types that can be enforced with a service mesh:
-
Role Based Access Control (RBAC)
-
基于角色的访问控制,围绕“角色”和“许可”定义,与策略无关;
-
Grant access by roles
-
Coarse-grained
-
May cause role explosions
-
separation of duty (SOD)
-
-
Attribute Based Access Control (ABAC)
-
下一代授权模型
- 基于属性的访问控制
- Grant access by policies,also known as policy-based access control,定义了一种访问控制范式,通过将属性组合为策略授予用户访问权限;与RBAC相比,它还额外兼顾使用角色和组之外的属性,且基于策略而非静态定义的权限;
-
boolean logic:可基于复杂的布尔规则集定义;
-
context,例如time、location和IP等;
-
ABAC可以看作是外部的和动态的授权管理机制,能够完成细粒度的授权;
-
-
OPA:Open Policy Agent
-
开源的通用策略引擎,用于统一整个堆栈中的策略应用;
-
使用高级声明性语言Rego(也称为policy language)定义策略;
-
常用于在微服务、Kubernetes、CI/CD pipeline、API网关等中实施策略;
-
-
RBAC
- RBAC是一种操作授权机制,用于界定“谁(Subject)”能够“操作(Verb)”哪个或哪类“对象(Object)”;
- Envoy的RBAC过滤器为服务提供服务级别和方法级别的访问控制功能,相关过滤器配置名称为envoy.filters.http.rbac
- 该过滤器支持基于连接属性(IP、Port或SSL Subject)以及传入的请求的HTTP标头安全列表(Allow)或阻止列表(Deny)策略集进行配置;
-
支持强制模式和影子模式,影子模式仅用于验证策略而不会产生真正的影响
-
Envoy的RBAC配置主要由两个参数组成
-
action:策略匹配时要采取的操作,当且仅当以下情形方才允许请求的操作
-
action为允许,且至少有一个策略匹配
-
action为拒绝,但没有任何策略匹配
-
-
policies:从策略名称到策略的映射,成功的条件是至少一个策略与请求匹配
-
- Envoy的RBAC过滤器为服务提供服务级别和方法级别的访问控制功能,相关过滤器配置名称为envoy.filters.http.rbac
RBAC配置格式
Network filter 配置格式
--
listeners:
...
filter_chains:
filter_chain_match: {...}
use_proxy_proto: {...}
transport_socket: {...}
transport_socket_connect_timeout: {...}
name: ...
filters: # 组成过滤器链的单个网络过滤器列表,用于与侦听器建立连接。顺序很重要,因为过滤器在连接事件发生时按顺序处理。注意:如果过滤器列表为空,则默认关闭连接。
name: envoy.filters.network.rbac # 过滤器配置的名称。取决于typed_config配置的过滤器指定的名称。
typed_config: {...} # 过滤器特定配置,这取决于被实例化的过滤器。
"@type": type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC
rules: {...}
matcher: {...}
shadow_rules: {...}
shadow_matcher: {...}
shadow_rules_stat_prefix: ...
stat_prefix: ...
enforcement_type: ...
HTTP filter配置格式
--
listeners:
...
filter_chains:
...
name: ...
filters: # 组成过滤器链的单个网络过滤器列表,用于与侦听器建立连接。顺序很重要,因为过滤器在连接事件发生时按顺序处理。注意:如果过滤器列表为空,则默认关闭连接。
name: envoy.filters.network.http_connection_manager # 过滤器配置的名称。取决于typed_config配置的过滤器指定的名称。
typed_config: # 过滤器特定配置,这取决于被实例化的过滤器。
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
...
http_filters:
- name: envoy.filters.http.rbac
config_discovery: {...}
is_optional: ...
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC
rules:
action: ... # 策略匹配时的操作行为,支持ALLOW、DENY、LOG、true;
policies: # 授权策略
permissions: # 应用于一个角色之上的权限许可列表,各列表项之间为“或”关系;
and_rules: {...} # 以“与”关系定义的一组操作权限;
or_rules: {...} # 以“或”关系定义的一组操作权限;
any: ... # 布尔型值,是否匹配所有操作;
header: {...} # 核验传入的HTTP请求报文的指定标头;仅适用于HTTP请求;
url_path: {...}
destination_ip: {...} # 针对于目标IP的CIDR地址块的操作权限;
destination_port: ... # 针对于目标端口的操作权限;
destination_port_range: {...}
metadata: {...} # 针对于指定的元数据的操作权限;
not_rule: {...} # 以“非”关系定义的一组操作权限;
requested_server_name: {...} # 针对于客户端请求的目标服务器的操作权限;
matcher: {...}
principals:
and_ids: {...} # “与”关系的一组主体;
or_ids: {...} # “或”关系的一组主体;
any: ...
authenticated: {...} # 经过认证的;
source_ip: {...}
direct_remote_ip: {...}
remote_ip: {...}
header: {...} # 传入HTTP请求报文的指定标头;
url_path: {...}
metadata: {...} # 描述有关Subject的其它信息的元数据;
not_id: {...} # “非”关系主体,即指定主体之外的其他主体;
condition: {...}
matcher: {...}
shadow_rules: {...}
shadow_matcher: {...}
shadow_rules_stat_prefix: ...
RBAC配置示例
-
Service account
cluster.local/ns/default/sa/admin
has full access to the service, and so does “cluster.local/ns/default/sa/superuser”. -
Any user can read (
GET
) the service at paths with prefix/products
, so long as the destination port is either 80 or 443.
action: ALLOW
policies:
"service-admin":
permissions:
- any: true
principals:
- authenticated:
principal_name:
exact: "cluster.local/ns/default/sa/admin"
- authenticated:
principal_name:
exact: "cluster.local/ns/default/sa/superuser"
"product-viewer":
permissions:
- and_rules:
rules:
- header:
name: ":method"
string_match:
exact: "GET"
- url_path:
path: { prefix: "/products" }
- or_rules:
rules:
- destination_port: 80
- destination_port: 443
principals:
- any: true
参考文档
https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/rbac/v3/rbac.proto#extension-envoy-filters-network-rbac
https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/rbac/v3/rbac.proto#envoy-v3-api-msg-extensions-filters-http-rbac-v3-rbac
https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/rbac_filter