Authorization Policy Conditions

This page describes the supported keys and value formats you can use as conditions in the when field of an authorization policy rule.

For more information, refer to the authorization concept page.

Supported Conditions

NameDescriptionSupported ProtocolsExample
request.headersHTTP request headers. The header name is surrounded by [] without any quotesHTTP onlykey: request.headers[User-Agent]
values: [“Mozilla/“]
source.ipSource workload instance IP address, supports single IP or CIDRHTTP and TCPkey: source.ip
values: [“10.1.2.3”, “10.2.0.0/16”]
remote.ipOriginal client IP address as determined by X-Forwarded-For header or Proxy Protocol, supports single IP or CIDRHTTP and TCPkey: remote.ip
values: [“10.1.2.3”, “10.2.0.0/16”]
source.namespaceSource workload instance namespace, requires mutual TLS enabledHTTP and TCPkey: source.namespace
values: [“default”]
source.principalThe identity of the source workload, requires mutual TLS enabledHTTP and TCPkey: source.principal
values: [“cluster.local/ns/default/sa/productpage”]
request.auth.principalThe principal of the authenticated JWT token, constructed from the JWT claims in the format of <iss>/<sub>, requires request authentication policy appliedHTTP onlykey: request.auth.principal
values: [“issuer.example.com/subject-admin”]
request.auth.audiencesThe intended audiences of the authenticated JWT token, constructed from the JWT claim <aud>, requires request authentication policy appliedHTTP onlykey: request.auth.audiences
values: [“example.com”]
request.auth.presenterThe authorized presenter of the authenticated JWT token, constructed from the JWT claim <azp>, requires request authentication policy appliedHTTP onlykey: request.auth.presenter
values: [“123456789012.example.com”]
request.auth.claimsRaw claims of the authenticated JWT token. The claim name is surrounded by [] without any quotes, nested claim can also be used, requires request authentication policy applied. Note only support claim of type string or list of stringHTTP onlykey: request.auth.claims[iss]
values: [“@foo.com”]

key: request.auth.claims[nested1][nested2]
values: [“some-value”]
destination.ipDestination workload instance IP address, supports single IP or CIDRHTTP and TCPkey: destination.ip
values: [“10.1.2.3”, “10.2.0.0/16”]
destination.portDestination workload instance port, must be in the range [0, 65535]. Note this is not the service portHTTP and TCPkey: destination.port
values: [“80”, “443”]
connection.sniThe server name indication, requires TLS enabledHTTP and TCPkey: connection.sni
values: [“www.example.com”]
experimental.envoy.filters.*Experimental metadata matching for filters, values wrapped in [] are matched as a listHTTP and TCPkey: experimental.envoy.filters.network.mysql_proxy[db.table]
values: [“[update]”]

No backward compatibility is guaranteed for the experimental.* keys. They may be removed at any time, and customers are advised to use them at their own risk.