According to Istio / Authorization Policy, we can config ‘/info*’ to represent paths with prefix ‘/info’, and ‘*info’ to represent paths with suffix ‘info’. However, what can be configured to match the condition “paths containing info”.
I notice that Istio use the function to construct the StringMatcher. Is there a way to use regex path? Or using envoyfilters is the only way?
Besides func StringMatcherWithPrefix() mentioned in the question,
Istio authz also uses StringMatcherRegex to support regex: https://github.com/istio/istio/blob/985df6bbf72cdb6f3e082ebb60a6cacb11cb13b4/pilot/pkg/security/authz/matcher/string.go#L29. Can you try a regex path in Istio authz and update the thread here with your finding?
That StringMatcherRegex is only used in principal
match or for a path with prefix of *
, which can not be used for a normal regex path.
Finally, we have to change the Istio code. We use a meaningful prefix in path to tell the istio to use StringMatcherRegex or other StringMatcher. For example, path “regex: /resources/.*/call” should be used as a StringMatcherRegex, and “prefix: /resources” should be used as a StringMatcherPrefix, and “contain: resource” should be used as a StringMatcherContains.