Skip to content

Envoy/Istio: Custom HTML page for RBAC: access denied (403)? #3422

Open
Open
Envoy/Istio: Custom HTML page for RBAC: access denied (403)?#3422
@csanadpoda

Description

@csanadpoda
csanadpoda
opened on Mar 24, 2026

Validation Checklist

  • I confirm that this is a Kubeflow-related issue.
  • I am reporting this in the appropriate repository.
  • I have followed the Kubeflow installation guidelines.
  • The issue report is detailed and includes version numbers where applicable.
  • I have considered adding my company to the adopters page to support Kubeflow and help the community, since I expect help from the community for my issue (see 1. and 2.).
  • This issue pertains to Kubeflow development.
  • I am available to work on this issue.
  • You can join the CNCF Slack and access our meetings at the Kubeflow Community website. Our channel on the CNCF Slack is here #kubeflow-platform.

Version

1.10.2

Detailed Description

Goal: return a custom HTML page for RBAC-denied requests instead of the default plain-text:

RBAC: access denied

This produces a poor browser experience.

Current approach

EnvoyFilter using local_reply_config on ingress gateway.

Matches:

  • HTTP 403
  • Accept header contains text/html

Rewrites body to HTML.

Issue

This matches ALL 403 responses, not just RBAC.

Examples incorrectly affected:

  • ext_authz denials
  • route failures
  • upstream-generated 403
  • other filters returning 403

There is no way in local_reply_config to distinguish RBAC-specific denials.

Limitation

Envoy local_reply_config supports:

  • status_code_filter
  • header_filter
  • logical filters

It does NOT support:

  • response_code_details_filter matching
  • filter-origin matching (RBAC vs others)

RBAC emits:

  • status: 403
  • body: "RBAC: access denied"
  • response_code_details: rbac_access_denied_matched_policy[...]

But response_code_details is not usable in filters.

Question

Is there a supported way to:

  • target only RBAC-generated 403 responses
  • and customize their HTML response

If not, is there a recommended pattern for this use case?

Steps to Reproduce

  1. Install Kubeflow as described
  2. Restrict a user from any application on the central dashboard via RBAC
  3. Make the user click on the restricted app in the left side menu
  4. White text on back background says RBAC: access denied

Screenshots or Videos (Optional)

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions