Authorization Policy Conditions
This page describes the supported keys and value formats you can use as conditions
in the when field of an authorization policy rule.
For more information, refer to the authorization concept page.
Supported Conditions
| Name | Description | Supported Protocols | Example |
|---|---|---|---|
request.headers | HTTP request headers. The actual header name is surrounded by brackets | HTTP only | key: request.headers[User-Agent]values: ["Mozilla/*"] |
source.ip | Source workload instance IP address, supports single IP or CIDR | HTTP and TCP | key: source.ipvalues: ["10.1.2.3"] |
source.namespace | Source workload instance namespace, requires mutual TLS enabled | HTTP and TCP | key: source.namespacevalues: ["default"] |
source.principal | The identity of the source workload, requires mutual TLS enabled | HTTP and TCP | key: source.principalvalues: ["cluster.local/ns/default/sa/productpage"] |
request.auth.principal | The authenticated principal of the request. | HTTP only | key: request.auth.principalvalues: ["accounts.my-svc.com/104958560606"] |
request.auth.audiences | The intended audience(s) for this authentication information | HTTP only | key: request.auth.audiencesvalues: ["my-svc.com"] |
request.auth.presenter | The authorized presenter of the credential | HTTP only | key: request.auth.presentervalues: ["123456789012.my-svc.com"] |
request.auth.claims | Claims from the origin JWT. The actual claim name is surrounded by brackets | HTTP only | key: request.auth.claims[iss]values: ["*@foo.com"] |
destination.ip | Destination workload instance IP address, supports single IP or CIDR | HTTP and TCP | key: destination.ipvalues: ["10.1.2.3", "10.2.0.0/16"] |
destination.port | The recipient port on the server IP address, must be in the range [0, 65535] | HTTP and TCP | key: destination.portvalues: ["80", "443"] |
connection.sni | The server name indication, requires mutual TLS enabled | HTTP and TCP | key: connection.snivalues: ["www.example.com"] |
experimental.envoy.filters.* | Experimental metadata matching for filters, values wrapped in [] are matched as a list | HTTP and TCP | key: experimental.envoy.filters.network.mysql_proxy[db.table]values: ["[update]"] |