envoy: add rbac metrics (#16165)

* envoy: add rbac metrics * Add envoy rbac metrics * unit test * changelog * Update metadata.csv see also https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/rbac_filter Signed-off-by: William Dauchy <[email protected]> * fix changelog --------- Signed-off-by: William Dauchy <[email protected]> Co-authored-by: steveny91 <[email protected]>
DataDog · Nov 10, 2023 · e002859 · e002859
1 parent b36ca91
commit e002859
Show file tree

Hide file tree

Showing 6 changed files with 32 additions and 0 deletions.
diff --git a/envoy/changelog.d/16165.added b/envoy/changelog.d/16165.added
@@ -0,0 +1 @@
+Add rbac metrics
diff --git a/envoy/datadog_checks/envoy/metrics.py b/envoy/datadog_checks/envoy/metrics.py
@@ -368,6 +368,10 @@
     'envoy_tcp_on_demand_cluster_timeout': 'tcp.on_demand_cluster_timeout',
     'envoy_tcp_upstream_flush': 'tcp.upstream_flush',
     'envoy_tcp_upstream_flush_active': 'tcp.upstream_flush_active',
+    'envoy_http_rbac_allowed': 'http.rbac_allowed',
+    'envoy_http_rbac_denied': 'http.rbac_denied',
+    'envoy_http_rbac_shadow_allowed': 'http.rbac_shadow_allowed',
+    'envoy_http_rbac_shadow_denied': 'http.rbac_shadow_denied',
 }
 
 # fmt: off

diff --git a/envoy/metadata.csv b/envoy/metadata.csv
@@ -530,6 +530,10 @@ envoy.http.downstream_rq_3xx,count,,response,,[Legacy] Total 3xx responses,0,env
 envoy.http.downstream_rq_4xx,count,,response,,[Legacy] Total 4xx responses,-1,envoy,,
 envoy.http.downstream_rq_5xx,count,,response,,[Legacy] Total 5xx responses,-1,envoy,,
 envoy.http.downstream_rq_ws_on_non_ws_route,count,,request,,[Legacy] Total WebSocket upgrade requests rejected by non WebSocket routes,0,envoy,,
+envoy.http.rbac_allowed.count,count,,request,,[OpenMetrics V2] Total requests that were allowed access,-1,envoy,,
+envoy.http.rbac_denied.count,count,,request,,[OpenMetrics V2] Total requests that were denied access,-1,envoy,,
+envoy.http.rbac_shadow_allowed.count,count,,request,,[OpenMetrics V2] Total requests that would be allowed access by the filter's shadow rules,-1,envoy,,
+envoy.http.rbac_shadow_denied.count,count,,request,,[OpenMetrics V2] Total requests that would be denied access by the filter's shadow rules,-1,envoy,,
 envoy.http.rs_too_large,count,,error,,[Legacy] Total response errors due to buffering an overly large body,-1,envoy,,
 envoy.http.user_agent.downstream_cx_total,count,,connection,,[Legacy] Total connections,0,envoy,,
 envoy.http.user_agent.downstream_cx_destroy_remote_active_rq,count,,connection,,[Legacy] Total connections destroyed remotely with active requests,-1,envoy,,

diff --git a/envoy/tests/common.py b/envoy/tests/common.py
@@ -214,6 +214,10 @@
     "http.passthrough_internal_redirect_predicate.count",
     "http.passthrough_internal_redirect_too_many_redirects.count",
     "http.passthrough_internal_redirect_unsafe_scheme.count",
+    "http.rbac_allowed.count",
+    "http.rbac_denied.count",
+    "http.rbac_shadow_allowed.count",
+    "http.rbac_shadow_denied.count",
     "http.rq_direct_response.count",
     "http.rq_redirect.count",
     "http.rq_reset_after_downstream_response_started.count",
@@ -584,6 +588,10 @@
     "http.downstream_rq_xx.count",
     "http.no_cluster.count",
     "http.no_route.count",
+    "http.rbac_allowed.count",
+    "http.rbac_denied.count",
+    "http.rbac_shadow_allowed.count",
+    "http.rbac_shadow_denied.count",
     "http.rq.count",
     "http.rq_direct_response.count",
     "http.rq_redirect.count",

diff --git a/envoy/tests/docker/api_v3/front-envoy.yaml b/envoy/tests/docker/api_v3/front-envoy.yaml
@@ -52,6 +52,13 @@ static_resources:
                     "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
                     disabled: true
           http_filters:
+          - name: envoy.filters.http.rbac
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC
+              rules:
+                action: DENY
+              shadow_rules:
+                action: DENY
           - name: envoy.filters.http.ext_authz
             typed_config:
               "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz

diff --git a/envoy/tests/fixtures/openmetrics.txt b/envoy/tests/fixtures/openmetrics.txt
@@ -373,6 +373,14 @@ envoy_http_downstream_cx_destroy_local_active_rq{envoy_http_conn_manager_prefix=
 # TYPE envoy_http_downstream_rq_ws_on_non_ws_route counter
 envoy_http_downstream_rq_ws_on_non_ws_route{envoy_http_conn_manager_prefix="ingress_http"} 0
 envoy_http_downstream_rq_xx{envoy_response_code_class="4",envoy_http_conn_manager_prefix="ingress_http"} 0
+# TYPE envoy_http_rbac_allowed counter
+envoy_http_rbac_allowed{envoy_http_conn_manager_prefix="ingress_http"} 0
+# TYPE envoy_http_rbac_denied counter
+envoy_http_rbac_denied{envoy_http_conn_manager_prefix="ingress_http"} 0
+# TYPE envoy_http_rbac_shadow_allowed counter
+envoy_http_rbac_shadow_allowed{envoy_http_conn_manager_prefix="ingress_http"} 0
+# TYPE envoy_http_rbac_shadow_denied counter
+envoy_http_rbac_shadow_denied{envoy_http_conn_manager_prefix="ingress_http"} 0
 # TYPE envoy_listener_worker_4_downstream_cx_total counter
 envoy_listener_worker_4_downstream_cx_total{envoy_listener_address="0.0.0.0_80"} 0
 # TYPE envoy_listener_http_downstream_rq_xx counter