RBAC Constraints and Properties (deprecated)

The constraints and properties in the RBAC policy are deprecated by the conditions inthe AuthorizationPolicy. Please use the conditions in AuthorizationPolicy resources,this page is for reference only and will be removed in the future.

This section contains the supported keys and value formats you can use as constraints and propertiesin the service roles and service role bindings configuration objects.Constraints and properties are extra conditions you can add as fields in configuration objects witha kind: value of ServiceRole and ServiceRoleBinding to specify detailed access control requirements.

Specifically, you can use constraints to specify extra conditions in the access rule field of a servicerole. You can use properties to specify extra conditions in the subject field of a service role binding.Istio supports all keys listed on this page for the HTTP protocol but supports only some for the plain TCP protocol.

Unsupported keys and values will be ignored silently.

For more information, refer to the authorization concept page.

Supported constraints

The following table lists the currently supported keys for the constraints field:

NameDescriptionSupported for TCP servicesKey ExampleValues Example
destination.ipDestination workload instance IP address, supports single IP or CIDRYESdestination.ip["10.1.2.3", "10.2.0.0/16"]
destination.portThe recipient port on the server IP address, must be in the range [0, 65535]YESdestination.port["80", "443"]
destination.labelsA map of key-value pairs attached to the server instanceYESdestination.labels[version]["v1", "v2"]
destination.namespaceDestination workload instance namespaceYESdestination.namespace["default"]
destination.userThe identity of the destination workloadYESdestination.user["bookinfo-productpage"]
experimental.envoy.filters.*Experimental metadata matching for filters, values wrapped in [] are matched as a listYESexperimental.envoy.filters.network.mysql_proxy[db.table]["[update]"]
request.headersHTTP request headers, The actual header name is surrounded by bracketsNOrequest.headers[X-Custom-Token]["abc123"]

Note that no backward compatibility is guaranteed for the experimental.* keys. They may be removedat any time, and customers are advised to use them at their own risk.

Supported properties

The following table lists the currently supported keys for the properties field:

NameDescriptionSupported for TCP servicesKey ExampleValue Example
source.ipSource workload instance IP address, supports single IP or CIDRYESsource.ip"10.1.2.3"
source.namespaceSource workload instance namespaceYESsource.namespace"default"
source.principalThe identity of the source workloadYESsource.principal"cluster.local/ns/default/sa/productpage"
request.headersHTTP request headers. The actual header name is surrounded by bracketsNOrequest.headers[User-Agent]"Mozilla/"
request.auth.principalThe authenticated principal of the request.NOrequest.auth.principal"accounts.my-svc.com/104958560606"
request.auth.audiencesThe intended audience(s) for this authentication informationNOrequest.auth.audiences"my-svc.com"
request.auth.presenterThe authorized presenter of the credentialNOrequest.auth.presenter"123456789012.my-svc.com"
request.auth.claimsClaims from the origin JWT. The actual claim name is surrounded by bracketsNOrequest.auth.claims[iss]"@foo.com"