- Expected: Authorize HTTP requests with header
required1=expected1ANDrequired2=expected2 - Actual: Any header is allowed.
AuthorizationPolicy:
spec:
selector:
matchLabels:
app: fortioserver
rules:
- when:
- key: request.headers[required1]
values: ["expected1"]
- key: request.headers[required2]
values: ["expected2"]
Envoy config dump from workload:
"name": "envoy.filters.http.rbac",
"typed_config": {
"@type": "type.googleapis.com/envoy.config.filter.http.rbac.v2.RBAC",
"rules": {
"policies": {
"ns[airmesh-test-authz-allen]-policy[httpheader-multi-and]-rule[0]": {
"permissions": [
{
"and_rules": {
"rules": [
{
"any": true
}
]
}
}
],
"principals": [
{
"and_ids": {
"ids": [
{
"header": {
"name": "required1",
"exact_match": "expected1"
}
},
{
"header": {
"name": "required2",
"exact_match": "expected2"
}
}
]
}
}
]
}
}
}
}
}
- Expected: Authorize gRPC calls to
fgrpc.PingServer.Pingwith principalcluster.local/ns/test-authz-allen/sa/grpc-alpha - Actual: All gRPC calls are denied
AuthorizationPolicy:
selector:
matchLabels:
app: fortioserver
rules:
- from:
- source:
principals: ["cluster.local/ns/test-authz-allen/sa/grpc-alpha"]
to:
- operation:
methods: ["fgrpc.PingServer.Ping"]Envoy config dump from workload:
{
"name": "envoy.filters.http.rbac",
"typed_config": {
"@type": "type.googleapis.com/envoy.config.filter.http.rbac.v2.RBAC",
"rules": {
"policies": {
"ns[test-authz-allen]-policy[grpc-source-method-single]-rule[0]": {
"permissions": [
{
"and_rules": {
"rules": [
{
"or_rules": {
"rules": [
{
"header": {
"name": ":method",
"exact_match": "fgrpc.PingServer.Ping"
}
}
]
}
}
]
}
}
],
"principals": [
{
"and_ids": {
"ids": [
{
"or_ids": {
"ids": [
{
"metadata": {
"filter": "istio_authn",
"path": [
{
"key": "source.principal"
}
],
"value": {
"string_match": {
"exact": "cluster.local/ns/test-authz-allen/sa/grpc-alpha"
}
}
}
}
]
}
}
]
}
}
]
}
}
}
}
},