added role-based access control (RBAC)

envoy.yaml

@@ -20,8 +20,7 @@ static_resources:
               match_typed_subject_alt_names:
               - san_type: URI
                 matcher:
-                  # exact: proxy-postgres-frontend.example.com
-                  exact: spiffe://john-stream.com/ubuntu
+                  prefix: spiffe://john-stream.com
             tls_certificates:
             - certificate_chain:
                 filename: /certs/cert.pem
@@ -43,6 +42,24 @@ static_resources:
                 route:
                   cluster: rest_server
           http_filters:
+          - name: envoy.filters.http.rbac
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC
+              rules:
+                action: ALLOW
+                policies:
+                  "data_policy":
+                    permissions:
+                      - and_rules:
+                          rules:
+                            - header:
+                                name: ":path"
+                                string_match:
+                                  prefix: "/dev-test"
+                    principals:
+                      - authenticated:
+                          principal_name:
+                            exact: "spiffe://john-stream.com/ubuntu"
           - name: envoy.filters.http.router
             typed_config:
               "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router