Istio Auth policy based on fields in request body

Hi All,

I am using Istio’s AuthorizationPolicy API to implement access control for services running inside a kubernetes cluster. This works fine.

I have ran into use cases where I need to restrict/allow access to services based on “fields in the request body” of the HTTP request. The API doesn’t supports defining such a policy. See below:-

Can someone help me how I can achieve defining an authorization policy based on fields in request body? Any help is much appreciated.

Thanks,
Senthil.

Hi

i guess you can do it with EnvoyFilter.

something like the following might work using lua Envoy Filter on the SIDECAR_INBOUND of your workloads.

function envoy_on_request(request_handle)
  body = request_handle:body()
  for each key,value in pairs(body)
    if key == "denied_key" then
      request_handle:respond({[":status"] = "401"},"keydenied forbidden")
     end
   end
end

The current authorization policy doesn’t support checking request body, one workaround is to use Lua filter as @chen mentioned above.

Feel free to open a feature request on https://github.com/istio/istio/issues. Thanks!

Thanks @chen, @YangminZhu. I’ve opened a feature request:-