From f92924b74fb1a8f597de3edb1e68a380f2d91189 Mon Sep 17 00:00:00 2001
From: John Lancaster <32917998+jsl12@users.noreply.github.com>
Date: Fri, 2 Jan 2026 13:32:42 -0600
Subject: [PATCH] added role-based access control (RBAC)

---
 envoy.yaml | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/envoy.yaml b/envoy.yaml
index 91e39eb..634cc93 100644
--- a/envoy.yaml
+++ b/envoy.yaml
@@ -20,8 +20,7 @@ static_resources:
               match_typed_subject_alt_names:
               - san_type: URI
                 matcher:
-                  # exact: proxy-postgres-frontend.example.com
-                  exact: spiffe://john-stream.com/ubuntu
+                  prefix: spiffe://john-stream.com
             tls_certificates:
             - certificate_chain:
                 filename: /certs/cert.pem
@@ -43,6 +42,24 @@ static_resources:
                 route:
                   cluster: rest_server
           http_filters:
+          - name: envoy.filters.http.rbac
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC
+              rules:
+                action: ALLOW
+                policies:
+                  "data_policy":
+                    permissions:
+                      - and_rules:
+                          rules:
+                            - header:
+                                name: ":path"
+                                string_match:
+                                  prefix: "/dev-test"
+                    principals:
+                      - authenticated:
+                          principal_name:
+                            exact: "spiffe://john-stream.com/ubuntu"
           - name: envoy.filters.http.router
             typed_config:
               "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router