envoyproxy/gateway

feat: Allow additional "actions/operations" matching in SecurityPolicy authorization rules

Open

#7,678 opened on 2025年12月5日

GitHub で見る
 (7 comments) (0 reactions) (0 assignees)Go (802 forks)auto 404
help wantedkind/enhancementkind/feature

Repository metrics

Stars
 (2,871 stars)
PR merge metrics
 (PR metrics pending)

説明

Description: Right now the AuthorizationRule model used in SecurityPolicy is based on principal/operation combo, with operation allowing only to match HTTPMethod. That is a direct limitation compared to what you can do in "native" Envoy, where RBAC "rules" consist of a "permissions/principals" combo with "permissions" defining a lot a different actions matching (header, url_path, destination_ip...). Let's consider the following Envoy exemple :

                  permissions:
                    - or_rules:
                        rules:
                          - header:
                              name: ":authority"
                              string_match:
                                exact: <DOMAIN_1>
                          - header:
                              name: ":authority"
                              string_match:
                                exact: <DOMAIN_2>
                  principals:
                    - sourced_metadata:
                        metadata_source: DYNAMIC
                        metadata_matcher:
                          filter: envoy.filters.http.jwt_authn
                          path:
                            - key: google_jwt_payload
                            - key: email
                          value:
                            string_match:
                              exact: <IDENTITY>

To my understanding you have no way to replicate such a global RBAC at Gateway level with EnvoyGateway, all you can do is define it at route level by moving the header matching part in HTTPRoute.

Im not sure why the approach was different originally and "permissions" concept was not mirrored in SecurityPolicy "rules" but shouldn't we consider that "operation" has to match "permissions" feature-wise and allow to define the same kind of actions matching (header, url_path, destination_ip...)?

コントリビューターガイド