Authorization Policy Conditions
This page describes the supported keys and value formats you can use as conditions in the when
field of an authorization policy rule.
For more information, refer to the authorization concept page.
Supported Conditions
Name | Description | Supported Protocols | Example |
---|---|---|---|
request.headers | HTTP request headers. The actual header name is surrounded by brackets | HTTP only | key: request.headers[User-Agent] values: [“Mozilla/“] |
source.ip | Source workload instance IP address, supports single IP or CIDR | HTTP and TCP | key: source.ip values: [“10.1.2.3”] |
source.namespace | Source workload instance namespace, requires mutual TLS enabled | HTTP and TCP | key: source.namespace values: [“default”] |
source.principal | The identity of the source workload, requires mutual TLS enabled | HTTP and TCP | key: source.principal values: [“cluster.local/ns/default/sa/productpage”] |
request.auth.principal | The authenticated principal of the request. | HTTP only | key: request.auth.principal values: [“accounts.my-svc.com/104958560606”] |
request.auth.audiences | The intended audience(s) for this authentication information | HTTP only | key: request.auth.audiences values: [“my-svc.com”] |
request.auth.presenter | The authorized presenter of the credential | HTTP only | key: request.auth.presenter values: [“123456789012.my-svc.com”] |
request.auth.claims | Claims from the origin JWT. The actual claim name is surrounded by brackets | HTTP only | key: request.auth.claims[iss] values: [“@foo.com”] |
destination.ip | Destination workload instance IP address, supports single IP or CIDR | HTTP and TCP | key: destination.ip values: [“10.1.2.3”, “10.2.0.0/16”] |
destination.port | The recipient port on the server IP address, must be in the range [0, 65535] | HTTP and TCP | key: destination.port values: [“80”, “443”] |
connection.sni | The server name indication, requires mutual TLS enabled | HTTP and TCP | key: connection.sni values: [“www.example.com”] |
experimental.envoy.filters.* | Experimental metadata matching for filters, values wrapped in [] are matched as a list | HTTP and TCP | key: experimental.envoy.filters.network.mysql_proxy[db.table] values: [“[update]”] |
No backward compatibility is guaranteed for the experimental.*
keys. They may be removed at any time, and customers are advised to use them at their own risk.