grpc.Creds(creds),
			}

			bootstrapB := GRPCBootstrap("echo-rbac-mtls", "test", "127.0.1.1", xdsPort)
			grpcOptions = append(grpcOptions, xdsgrpc.BootstrapContentsForTesting(bootstrapB))

			// Replaces: grpc NewServer
			grpcServer, err := xdsgrpc.NewGRPCServer(grpcOptions...)
			if err != nil {
				t.Fatal(err)
			}

			testRBAC(t, grpcServer, xdsresolver, "echo-rbac-mtls", port, lis)
		})
	})

}

// IsHTTPS is true if protocol is HTTPS
func (i Instance) IsHTTPS() bool {
	switch i {
	case HTTPS:
		return true
	default:
		return false
	}
}

// IsGRPC is true for GRPC protocols.
func (i Instance) IsGRPC() bool {
	switch i {
	case GRPC, GRPCWeb:
		return true
	default:
		return false
	}
}

func (i Instance) IsUnsupported() bool {
	return i == Unsupported
}

		}))

	return checkRequest(opts, expectAllowed, checkHeaders)
}

func checkRequest(opts echo.CallOptions, expectAllowed bool, checkHeaders echo.Checker) echo.Checker {
	switch {
	case opts.Port.Protocol.IsGRPC():
		switch opts.HTTP.Headers.Get(XExtAuthz) {
		case XExtAuthzAllow:
			return check.And(check.NoError(), checkHeaders)
		default:
			// Deny
			return check.And(check.Forbidden(protocol.GRPC),

		}
		return nil
	})
}

// Forbidden checks that the response indicates that the request was rejected by RBAC.
func Forbidden(p protocol.Instance) echo.Checker {
	switch {
	case p.IsGRPC():
		return ErrorContains("rpc error: code = PermissionDenied")
	case p.IsTCP():
		return ErrorContains("EOF")
	default:
		return NoErrorAndStatus(http.StatusForbidden)
	}
}