Authorization Policy Conditions

This page describes the supported keys and value formats you can use as conditions in the when field of an authorization policy rule.

For more information, refer to the authorization concept page.

Supported Conditions

Name Description Supported Protocols Example
request.headers HTTP request headers. The actual header name is surrounded by brackets HTTP only key: request.headers[User-Agent]
values: ["Mozilla/*"]
source.ip Source workload instance IP address, supports single IP or CIDR HTTP and TCP key: source.ip
values: ["10.1.2.3"]
source.namespace Source workload instance namespace, requires mutual TLS enabled HTTP and TCP key: source.namespace
values: ["default"]
source.principal The identity of the source workload, requires mutual TLS enabled HTTP and TCP key: source.principal
values: ["cluster.local/ns/default/sa/productpage"]
request.auth.principal The authenticated principal of the request. HTTP only key: request.auth.principal
values: ["accounts.my-svc.com/104958560606"]
request.auth.audiences The intended audience(s) for this authentication information HTTP only key: request.auth.audiences
values: ["my-svc.com"]
request.auth.presenter The authorized presenter of the credential HTTP only key: request.auth.presenter
values: ["123456789012.my-svc.com"]
request.auth.claims Claims from the origin JWT. The actual claim name is surrounded by brackets HTTP only key: request.auth.claims[iss]
values: ["*@foo.com"]
destination.ip Destination workload instance IP address, supports single IP or CIDR HTTP and TCP key: destination.ip
values: ["10.1.2.3", "10.2.0.0/16"]
destination.port The recipient port on the server IP address, must be in the range [0, 65535] HTTP and TCP key: destination.port
values: ["80", "443"]
connection.sni The server name indication, requires mutual TLS enabled HTTP and TCP key: connection.sni
values: ["www.example.com"]
experimental.envoy.filters.* Experimental metadata matching for filters, values wrapped in [] are matched as a list HTTP and TCP key: experimental.envoy.filters.network.mysql_proxy[db.table]
values: ["[update]"]
Was this information useful?
Do you have any suggestions for improvement?

Thanks for your feedback!