Authorization Policy Conditions
This page describes the supported keys and value formats you can use as conditionsin the when
field of authorization policy resources.
Unsupported keys and values are silently ignored.
For more information, refer to the authorization concept page.
Supported Conditions
Name | Description | Supported Protocols | Example |
---|---|---|---|
request.headers | HTTP request headers. The actual header name is surrounded by brackets | HTTP only | key: request.headers[User-Agent] values: ["Mozilla/"] |
source.ip | Source workload instance IP address, supports single IP or CIDR | HTTP and TCP | key: source.ip values: ["10.1.2.3"] |
source.namespace | Source workload instance namespace | HTTP and TCP | key: source.namespace values: ["default"] |
source.principal | The identity of the source workload | HTTP and TCP | key: source.principal values: ["cluster.local/ns/default/sa/productpage"] |
request.auth.principal | The authenticated principal of the request. | HTTP only | key: request.auth.principal values: ["accounts.my-svc.com/104958560606"] |
request.auth.audiences | The intended audience(s) for this authentication information | HTTP only | key: request.auth.audiences values: ["my-svc.com"] |
request.auth.presenter | The authorized presenter of the credential | HTTP only | key: request.auth.presenter values: ["123456789012.my-svc.com"] |
request.auth.claims | Claims from the origin JWT. The actual claim name is surrounded by brackets | HTTP only | key: request.auth.claims[iss] values: ["@foo.com"] |
destination.ip | Destination workload instance IP address, supports single IP or CIDR | HTTP and TCP | key: destination.ip values: ["10.1.2.3", "10.2.0.0/16"] |
destination.port | The recipient port on the server IP address, must be in the range [0, 65535] | HTTP and TCP | key: destination.port values: ["80", "443"] |
connection.sni | The server name indication | HTTP and TCP | key: connection.sni values: ["www.example.com"] |
experimental.envoy.filters.* | Experimental metadata matching for filters, values wrapped in [] are matched as a list | HTTP and TCP | key: experimental.envoy.filters.network.mysql_proxy[db.table] values: ["[update]"] |
No backward compatibility is guaranteed for the experimental.*
keys. They may be removedat any time, and customers are advised to use them at their own risk.