Support XFFC validation as First class api in SecurityPolicy

[nathanwang-ops]

Description:

When using mTLS for AuthN, RBAC AuthZ should support client certification validation

    authorization:
      defaultAction: Deny
      rules:
        principal:
          clientCert:
            Subject: foo.bar.com
            URI: http://foo.bar.com

[optional Relevant Links:]
#2250
#5310

[guydc]

Hi @nathanwang-ops !

XFCC may contain multiple appended client certs or no client certs at all, depending on how envoy is configured and other proxies along the way work.

Should this validation apply to the current peer cert used to establish the MTLS connection with envoy, irregardless of the contents of XFCC?

In your example, is Subject the DNS SAN and URI the URI SAN?

[nathanwang-ops]

@guydc
This validation should only apply to current peer cert used to establish the mTLS connection.
In the example, the Subject is the DNS SAN and URI is URI SAN.

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days.

[nathanwang-comp]

Will this be included in 1.4

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days.