AuthorizationPolicy with wildcards

Hi,

Authorizationpolicy does not supports any wildcard pattern on paths?

i have the following endpoints:

/my-service/docs/active (GET)
/my-service/docs//activate/ (PUT)

the first one will get all active docs, and second will activate/deactivate the specific doc.
i’ve tried to set it on the authorizationpolicy and it seems to ignore this policy due to willdcard.

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: my-service-private
namespace: default
spec:
action: DENY
selector:
matchLabels:
app:my-service
rules:
- from:
- source:
notNamespaces: [ “default” ]
to:
- operation:
methods: [“GET”]
paths: ["/my-service/docs/active"]
- operation:
methods: [“PUT”]
paths: ["/my-service/docs//activate/"]

any different solution here except updating all my endpoints?
10x

I just tested this, works for me:

kind: AuthorizationPolicy
metadata:
  labels:
    app: test-whale
  name: test-whale-jwt
  namespace: whale
spec:
  rules:
  - to:
    - operation:
        hosts:
        - test-whale.xxxxxxx.xxxxxx.zone
        methods:
        - GET
        paths:
        - /api/health*
  - to:
    - operation:
        methods:
        - '*'
        paths:
        - '*'
    when:
    - key: request.auth.claims[aud]
      values:
      - https://whale.xxxxx.xxxxxzone/

I can hit /api/health, /api/healthcheck/, etc and it all works without a JWT. If I hit /log, it requires it, hence the bottom block. Only thing I see different is you using an action value; im not. I’m on Istio 1.7.6

thanks for the example, the action field will be ALLOW by default if you don’t set it explicitly.

Sorry my urls wasnt printed properly. there is * on the second path.

so the policy:

apiVersion: [security.istio.io/v1beta1](http://security.istio.io/v1beta1)
kind: AuthorizationPolicy
  metadata:
    name: my-service-private
    namespace: default
  spec:
    action: DENY
  selector:
    matchLabels:
      app:my-service
  rules:
  - from:
    - source:
      notNamespaces: [ “default” ]
    to:
    - operation:
        methods: [“GET”]
        paths: ["/my-service/docs/active"]
    - operation:
        methods: [“PUT”]
        paths: ["/my-service/docs/*/activate/* "]

when we have double * it doesnt work.
/my-service/docs/*/bla will work though.

Chen

After reading the Istio source in a bunch of places, I’ve seen double wildcards just don’t work.