chen
January 13, 2021, 5:17pm
1
Hi,
Authorizationpolicy does not supports any wildcard pattern on paths?
i have the following endpoints:
/my-service/docs/active (GET)
the first one will get all active docs, and second will activate/deactivate the specific doc.
apiVersion: security.istio.io/v1beta1 /activate/ ”]
any different solution here except updating all my endpoints?
I just tested this, works for me:
kind: AuthorizationPolicy
metadata:
labels:
app: test-whale
name: test-whale-jwt
namespace: whale
spec:
rules:
- to:
- operation:
hosts:
- test-whale.xxxxxxx.xxxxxx.zone
methods:
- GET
paths:
- /api/health*
- to:
- operation:
methods:
- '*'
paths:
- '*'
when:
- key: request.auth.claims[aud]
values:
- https://whale.xxxxx.xxxxxzone/
I can hit /api/health, /api/healthcheck/, etc and it all works without a JWT. If I hit /log, it requires it, hence the bottom block. Only thing I see different is you using an action value; im not. I’m on Istio 1.7.6
thanks for the example, the action field will be ALLOW by default if you don’t set it explicitly.
chen
January 17, 2021, 11:28am
4
Sorry my urls wasnt printed properly. there is * on the second path.
so the policy:
apiVersion: [security.istio.io/v1beta1](http://security.istio.io/v1beta1)
kind: AuthorizationPolicy
metadata:
name: my-service-private
namespace: default
spec:
action: DENY
selector:
matchLabels:
app:my-service
rules:
- from:
- source:
notNamespaces: [ “default” ]
to:
- operation:
methods: [“GET”]
paths: ["/my-service/docs/active"]
- operation:
methods: [“PUT”]
paths: ["/my-service/docs/*/activate/* "]
when we have double * it doesnt work.
Chen
After reading the Istio source in a bunch of places, I’ve seen double wildcards just don’t work.