I want do quickly protect an endpoint and thought I could use a header matcher in the VirtualService to do this. I’ve more or less duplicated this example from the docs and done like this:
apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: istio-ingress namespace: some-namespace spec: hosts: - "foo.bar.mydomain.com" gateways: - default-gateway.istio-system.svc.cluster.local - gateway-ha.istio-system.svc.cluster.local http: - match: - headers: authorization: exact: some-unique-string-here name: some-name route: - destination: host: my-service
The intention is that clients must set the
Authorization header to the same value to be able to call the endpoint, but it doesn’t seem to work. The request goes through even without the header.
Maybe I misunderstand the way header matching works?
If there are other simple ways to achieve something similar (token, basic auth) I’d also like to hear about that.