Authorization Policy Conditions
This page describes the supported keys and value formats you can use as conditions in the when
field of an authorization policy rule.
For more information, refer to the authorization concept page.
Supported Conditions
Name | Description | Supported Protocols | Example |
---|---|---|---|
request.headers | HTTP request headers. The header name is surrounded by [] without any quotes | HTTP only | key: request.headers[User-Agent] values: [“Mozilla/“] |
source.ip | Source workload instance IP address, supports single IP or CIDR | HTTP and TCP | key: source.ip values: [“10.1.2.3”, “10.2.0.0/16”] |
remote.ip | Original client IP address as determined by X-Forwarded-For header or Proxy Protocol, supports single IP or CIDR | HTTP and TCP | key: remote.ip values: [“10.1.2.3”, “10.2.0.0/16”] |
source.namespace | Source workload instance namespace, requires mutual TLS enabled | HTTP and TCP | key: source.namespace values: [“default”] |
source.principal | The identity of the source workload, requires mutual TLS enabled | HTTP and TCP | key: source.principal values: [“cluster.local/ns/default/sa/productpage”] |
request.auth.principal | The principal of the authenticated JWT token, constructed from the JWT claims in the format of <iss>/<sub> , requires request authentication policy applied | HTTP only | key: request.auth.principal values: [“issuer.example.com/subject-admin”] |
request.auth.audiences | The intended audiences of the authenticated JWT token, constructed from the JWT claim <aud> , requires request authentication policy applied | HTTP only | key: request.auth.audiences values: [“example.com”] |
request.auth.presenter | The authorized presenter of the authenticated JWT token, constructed from the JWT claim <azp> , requires request authentication policy applied | HTTP only | key: request.auth.presenter values: [“123456789012.example.com”] |
request.auth.claims | Raw claims of the authenticated JWT token. The claim name is surrounded by [] without any quotes, nested claim can also be used, requires request authentication policy applied. Note only support claim of type string or list of string | HTTP only | key: request.auth.claims[iss] values: [“@foo.com”] — key: request.auth.claims[nested1][nested2] values: [“some-value”] |
destination.ip | Destination workload instance IP address, supports single IP or CIDR | HTTP and TCP | key: destination.ip values: [“10.1.2.3”, “10.2.0.0/16”] |
destination.port | Destination workload instance port, must be in the range [0, 65535]. Note this is not the service port | HTTP and TCP | key: destination.port values: [“80”, “443”] |
connection.sni | The server name indication, requires mutual TLS enabled | HTTP and TCP | key: connection.sni values: [“www.example.com”] |
experimental.envoy.filters.* | Experimental metadata matching for filters, values wrapped in [] are matched as a list | HTTP and TCP | key: experimental.envoy.filters.network.mysql_proxy[db.table] values: [“[update]”] |
No backward compatibility is guaranteed for the experimental.*
keys. They may be removed at any time, and customers are advised to use them at their own risk.