Details
-
Bug
-
Resolution: Done
-
Major
-
maistra-2.0.0
-
None
-
None
Description
Support of the field request.regex.headers (not present upstream, it was introduced by Maistra) is broken in 1.1: the validatingwebhook will reject any AuthorizationPolicy with the field, and even if you disable that, Pilot will still try to validate it using the same code, so it does not work.
When trying to create the following AuthorizationPolicy
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: httpbin-usernamepolicy spec: action: ALLOW rules: - when: - key: 'request.regex.headers[username]' values: - "allowed.*" selector: matchLabels: app: httpbin
the webhook will return:
Error from server: error when creating "authpolicy.yaml": admission webhook "pilot.validation.istio.io" denied the request: configuration is invalid: invalid condition: unknown attribute (request.regex.headers[username])
Even when circumventing the webhook, pilot does not accept the resource:
2020-08-07T10:48:50.412255Z warn Discarding incoming MCP resource: validation failed (test/new-policy): invalid condition: unknown attribute (request.regex.headers[username])
Attachments
Issue Links
- clones
-
-
- Closed
-
- is documented by
-
OSSM-2826 AuthorizationPolicy does not support request.regex.headers field
-
- Closed
-
- links to
- mentioned on
