istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/content/docs/reference/config/authorization/constraints-and-properties/index.md

2.7 KiB
Raw Blame History

title description weight
Constraints and Properties Describes the supported constraints and properties. 10

This page lists the supported keys that could be used in Constraints and Properties. Constraints are used to specify additional custom conditions in a ServiceRole, Properties are used to specify additional custom conditions in a ServiceRoleBinding. For more information, please refer to RBAC.

Constraints

The following table lists the currently supported keys in Constraints:

Name Description Key Example Values Example
destination.ip Destination workload instance IP address, supports single IP or CIDR destination.ip ["10.1.2.3", "10.2.0.0/16"]
destination.port The recipient port on the server IP address, must be in the range [0, 65535] destination.port ["80", "443"]
destination.labels A map of key-value pairs attached to the server instance destination.labels[version] ["v1", "v2"]
destination.name Destination workload instance name destination.name ["productpage*", "*-test"]
destination.namespace Destination workload instance namespace destination.namespace ["default"]
destination.user The identity of the destination workload destination.user ["bookinfo-productpage"]
request.headers HTTP request headers, The actual header name is surrounded by brackets request.headers[X-Custom-Token] ["abc123"]

Properties

The following table lists the currently supported keys in Properties:

Name Description Key Example Value Example
source.ip Source workload instance IP address, supports single IP or CIDR source.ip "10.1.2.3"
source.namespace Source workload instance namespace source.namespace "default"
source.principal The identity of the source workload source.principal "cluster.local/ns/default/sa/productpage"
request.headers HTTP request headers. The actual header name is surrounded by brackets request.headers[User-Agent] "Mozilla/*"
request.auth.principal The authenticated principal of the request. request.auth.principal "accounts.my-svc.com/104958560606"
request.auth.audiences The intended audience(s) for this authentication information request.auth.audiences "my-svc.com"
request.auth.presenter The authorized presenter of the credential request.auth.presenter "123456789012.my-svc.com"
request.auth.claims Claims from the origin JWT. The actual claim name is surrounded by brackets request.auth.claims[iss] "*@foo.com"