Skip to content

Instantly share code, notes, and snippets.

@incfly

incfly/authz.yaml

Created April 29, 2022 18:51
Show Gist options
  • Save incfly/3807df212c0a32d89e863deb587591c2 to your computer and use it in GitHub Desktop.
Save incfly/3807df212c0a32d89e863deb587591c2 to your computer and use it in GitHub Desktop.
Download ZIP
istio-rbac-customize-error-message
Raw
readme.md

Goal

Customize error message when rbac denied from Istio authz policy.

Steps

  1. Deploy istio, tested 1.12.1.
  2. Deploy httpbin, sleep, default namespace, sidecar injected.
  3. kubectl apply -f ./authz.yaml
  4. Check sleep to httpbin got "RBAC denied" error message.
  5. kubectl apply -f ./ef.yaml
  6. Check again, see message get changed: `Made it work! 400 - RBAC: access denied%'
Raw
authz.yaml
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-nothing
namespace: default
spec:
{}
Raw
ef.yaml
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: customize-authz-response
namespace: default
spec:
configPatches:
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: envoy.filters.network.http_connection_manager
patch:
operation: MERGE
value:
typed_config:
'@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
server_name: incfly-envoy-rbac
local_reply_config:
mappers:
- filter:
status_code_filter:
comparison:
op: EQ
value:
default_value: 403
runtime_key: key_bcd
status_code: 400
body_format:
text_format_source:
inline_string: "Made it work! %RESPONSE_CODE% - %LOCAL_REPLY_BODY%"
workloadSelector:
labels:
app: httpbin
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment