Authorization Policy Conditions

This page describes the supported keys and value formats you can use as conditionsin the when field of authorization policy resources.

Unsupported keys and values are silently ignored.

For more information, refer to the authorization concept page.

Supported Conditions

NameDescriptionSupported ProtocolsExample
request.headersHTTP request headers. The actual header name is surrounded by bracketsHTTP onlykey: request.headers[User-Agent]values: ["Mozilla/"]
source.ipSource workload instance IP address, supports single IP or CIDRHTTP and TCPkey: source.ipvalues: ["10.1.2.3"]
source.namespaceSource workload instance namespaceHTTP and TCPkey: source.namespacevalues: ["default"]
source.principalThe identity of the source workloadHTTP and TCPkey: source.principalvalues: ["cluster.local/ns/default/sa/productpage"]
request.auth.principalThe authenticated principal of the request.HTTP onlykey: request.auth.principalvalues: ["accounts.my-svc.com/104958560606"]
request.auth.audiencesThe intended audience(s) for this authentication informationHTTP onlykey: request.auth.audiencesvalues: ["my-svc.com"]
request.auth.presenterThe authorized presenter of the credentialHTTP onlykey: request.auth.presentervalues: ["123456789012.my-svc.com"]
request.auth.claimsClaims from the origin JWT. The actual claim name is surrounded by bracketsHTTP onlykey: request.auth.claims[iss]values: ["@foo.com"]
destination.ipDestination workload instance IP address, supports single IP or CIDRHTTP and TCPkey: destination.ipvalues: ["10.1.2.3", "10.2.0.0/16"]
destination.portThe recipient port on the server IP address, must be in the range [0, 65535]HTTP and TCPkey: destination.portvalues: ["80", "443"]
connection.sniThe server name indicationHTTP and TCPkey: connection.snivalues: ["www.example.com"]
experimental.envoy.filters.*Experimental metadata matching for filters, values wrapped in [] are matched as a listHTTP and TCPkey: experimental.envoy.filters.network.mysql_proxy[db.table]values: ["[update]"]

No backward compatibility is guaranteed for the experimental.* keys. They may be removedat any time, and customers are advised to use them at their own risk.