我的书签
添加书签
移除书签Authorization Policy Conditions
This page describes the supported keys and value formats you can use as conditionsin the when field of authorization policy resources.
Unsupported keys and values are silently ignored.
For more information, refer to the authorization concept page.
Supported Conditions
| Name | Description | Supported Protocols | Example |
|---|---|---|---|
request.headers | HTTP request headers. The actual header name is surrounded by brackets | HTTP only | key: request.headers[User-Agent]values: ["Mozilla/"] |
source.ip | Source workload instance IP address, supports single IP or CIDR | HTTP and TCP | key: source.ipvalues: ["10.1.2.3"] |
source.namespace | Source workload instance namespace | HTTP and TCP | key: source.namespacevalues: ["default"] |
source.principal | The identity of the source workload | HTTP and TCP | key: source.principalvalues: ["cluster.local/ns/default/sa/productpage"] |
request.auth.principal | The authenticated principal of the request. | HTTP only | key: request.auth.principalvalues: ["accounts.my-svc.com/104958560606"] |
request.auth.audiences | The intended audience(s) for this authentication information | HTTP only | key: request.auth.audiencesvalues: ["my-svc.com"] |
request.auth.presenter | The authorized presenter of the credential | HTTP only | key: request.auth.presentervalues: ["123456789012.my-svc.com"] |
request.auth.claims | Claims from the origin JWT. The actual claim name is surrounded by brackets | HTTP only | key: request.auth.claims[iss]values: ["@foo.com"] |
destination.ip | Destination workload instance IP address, supports single IP or CIDR | HTTP and TCP | key: destination.ipvalues: ["10.1.2.3", "10.2.0.0/16"] |
destination.port | The recipient port on the server IP address, must be in the range [0, 65535] | HTTP and TCP | key: destination.portvalues: ["80", "443"] |
connection.sni | The server name indication | HTTP and TCP | key: connection.snivalues: ["www.example.com"] |
experimental.envoy.filters.* | Experimental metadata matching for filters, values wrapped in [] are matched as a list | HTTP and TCP | key: experimental.envoy.filters.network.mysql_proxy[db.table]values: ["[update]"] |
No backward compatibility is guaranteed for the experimental.* keys. They may be removedat any time, and customers are advised to use them at their own risk.
