Validation Checklist
Version
1.10.2
Detailed Description
Goal: return a custom HTML page for RBAC-denied requests instead of the default plain-text:
RBAC: access denied
This produces a poor browser experience.
Current approach
EnvoyFilter using local_reply_config on ingress gateway.
Matches:
- HTTP 403
- Accept header contains text/html
Rewrites body to HTML.
Issue
This matches ALL 403 responses, not just RBAC.
Examples incorrectly affected:
- ext_authz denials
- route failures
- upstream-generated 403
- other filters returning 403
There is no way in local_reply_config to distinguish RBAC-specific denials.
Limitation
Envoy local_reply_config supports:
- status_code_filter
- header_filter
- logical filters
It does NOT support:
- response_code_details_filter matching
- filter-origin matching (RBAC vs others)
RBAC emits:
- status: 403
- body: "RBAC: access denied"
- response_code_details: rbac_access_denied_matched_policy[...]
But response_code_details is not usable in filters.
Question
Is there a supported way to:
- target only RBAC-generated 403 responses
- and customize their HTML response
If not, is there a recommended pattern for this use case?
Steps to Reproduce
- Install Kubeflow as described
- Restrict a user from any application on the central dashboard via RBAC
- Make the user click on the restricted app in the left side menu
- White text on back background says RBAC: access denied
Screenshots or Videos (Optional)
No response
Validation Checklist
Version
1.10.2
Detailed Description
Goal: return a custom HTML page for RBAC-denied requests instead of the default plain-text:
RBAC: access denied
This produces a poor browser experience.
Current approach
EnvoyFilter using local_reply_config on ingress gateway.
Matches:
Rewrites body to HTML.
Issue
This matches ALL 403 responses, not just RBAC.
Examples incorrectly affected:
There is no way in local_reply_config to distinguish RBAC-specific denials.
Limitation
Envoy local_reply_config supports:
It does NOT support:
RBAC emits:
But response_code_details is not usable in filters.
Question
Is there a supported way to:
If not, is there a recommended pattern for this use case?
Steps to Reproduce
Screenshots or Videos (Optional)
No response