Matching permissions in Istio AuthorizationPolicy

Service permissions (specified in an Authorization Policy per Service) define one or more specific required permissions for an endpoint, e.g. “”

Can User/Group permissions assigned to a user within their JWT token, define one or more generalized permissions, e.g. “group1.*.*.*”. ??


I think it’s up to your JWT issuer to decide what should be included in the JWT token. If your JWT issuer allows, you can put whatever you want in the JWT token, Istio doesn’t control the JWT token issuance.

To enforce the JWT token claim like group1.*.*.*, unfortunately this is not supported today. This could be supported with the regex support in authZ policy which we’re still discussing and working on an early design, will update once we have made some more progress on it.