Match authentication header

Hi,

I want do quickly protect an endpoint and thought I could use a header matcher in the VirtualService to do this. I’ve more or less duplicated this example from the docs and done like this:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: istio-ingress
  namespace: some-namespace
spec:
  hosts:
  - "foo.bar.mydomain.com"
  gateways:
  - default-gateway.istio-system.svc.cluster.local
  - gateway-ha.istio-system.svc.cluster.local
  http:
  - match:
    - headers:
        authorization:
          exact: some-unique-string-here
      name: some-name
    route:
    - destination:
        host: my-service

The intention is that clients must set the Authorization header to the same value to be able to call the endpoint, but it doesn’t seem to work. The request goes through even without the header.

Maybe I misunderstand the way header matching works?

If there are other simple ways to achieve something similar (token, basic auth) I’d also like to hear about that.

I’m not sure why the VirtualService is not working but I suggest to use AuthorizationPolicy to do the access control as it’s more secure to do the access control on service side. AFAIK, the VirtualService only affects the client side routing which means any clients without Envoy or could bypass Envoy is still able to talk to the server without the header.

See https://istio.io/blog/2019/v1beta1-authorization-policy/#example for more information. You can use the