Match authentication header


I want do quickly protect an endpoint and thought I could use a header matcher in the VirtualService to do this. I’ve more or less duplicated this example from the docs and done like this:

kind: VirtualService
  name: istio-ingress
  namespace: some-namespace
  - ""
  - default-gateway.istio-system.svc.cluster.local
  - gateway-ha.istio-system.svc.cluster.local
  - match:
    - headers:
          exact: some-unique-string-here
      name: some-name
    - destination:
        host: my-service

The intention is that clients must set the Authorization header to the same value to be able to call the endpoint, but it doesn’t seem to work. The request goes through even without the header.

Maybe I misunderstand the way header matching works?

If there are other simple ways to achieve something similar (token, basic auth) I’d also like to hear about that.

I’m not sure why the VirtualService is not working but I suggest to use AuthorizationPolicy to do the access control as it’s more secure to do the access control on service side. AFAIK, the VirtualService only affects the client side routing which means any clients without Envoy or could bypass Envoy is still able to talk to the server without the header.

See for more information. You can use the