Using RBAC Network Filter to block ingress or egress to/from service in Envoy Proxy

I want to try and configure a Filter in Envoy Proxy to block ingress and egress to the service based on some IP's, hostname, routing table, etc.

I have searched for the documentation and see it's possible. But didn't get any examples, of its usage.

Can someone point out some example of how It can be done?

One configuration example is present on this page: https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/rbac/v2alpha/rbac.proto
- But this is for a service account, like in Kubernetes.
The closest to what I want, I can see here in this page: https://www.envoyproxy.io/docs/envoy/latest/configuration/network_filters/rbac_filter#statistics
- Mentioned as, "The filter supports configuration with either a safe-list (ALLOW) or block-list (DENY) set of policies based on properties of the connection (IPs, ports, SSL subject)."
- But it doesn't show how to do it.

I have figured out something like this:

network_filters:
   - name: service-access
     config: 
        rules: 
           action: ALLOW
           policies:
             "service-access":
                 principals:
                    source_ip: 192.168.135.211
                 permissions:
                    - destination_ip: 0.0.0.0
                    - destination_port: 443

But I am not able to apply this network filter. All the configurations give me configuration error.

Solution

This is a complete rbac filter config given to me by envoy team in their guthub issue. Haven't tested it out though.

static_resources:
      listeners:
      - name: "ingress listener"
        address:
          socket_address:
            address: 0.0.0.0
            port_value: 9001
        filter_chains:
          filters:
          - name: envoy.http_connection_manager
            config:
              codec_type: auto
              stat_prefix: ingress_http
              route_config:
                name: local_route
                virtual_hosts:
                - name: local_service
                  domains:
                  - "*"
                  routes:
                  - match:
                      prefix: "/"  
                    route:
                      cluster: local_service
                    per_filter_config:
                      envoy.filters.http.rbac:
                        rbac:
                          rules:
                            action: ALLOW
                            policies:
                              "per-route-rule":
                                permissions:
                                - any: true
                                principals:
                                - any: true
              http_filters:
              - name: envoy.filters.http.rbac 
                config: 
                  rules: 
                    action: ALLOW
                    policies:
                      "general-rules":
                        permissions:
                        - any: true
                        principals:
                        - any: true
              - name: envoy.router
                config: {}
              access_log:
                name: envoy.file_access_log
                config: {path: /dev/stdout}

      clusters:
      - name: local_service
        connect_timeout: 0.250s
        type: static
        lb_policy: round_robin
        http2_protocol_options: {}
        hosts:
        - socket_address:
            address: 127.0.0.1
            port_value: 9000

    admin:
      access_log_path: "/dev/null"
      address:
        socket_address:
          address: 0.0.0.0
          port_value: 8080