Uploaded image for project: 'Maistra'
  1. Maistra
  2. MAISTRA-2010

AuthorizationPolicy does not support request.regex.headers field

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • maistra-2.0.1
    • maistra-2.0.0
    • None
    • None
    • MAISTRA 2.0.1

    Description

      Support of the field request.regex.headers (not present upstream, it was introduced by Maistra) is broken in 1.1: the validatingwebhook will reject any AuthorizationPolicy with the field, and even if you disable that, Pilot will still try to validate it using the same code, so it does not work.

      When trying to create the following AuthorizationPolicy

      apiVersion: security.istio.io/v1beta1
      kind: AuthorizationPolicy
      metadata:   name: httpbin-usernamepolicy
      spec:   action: ALLOW
        rules:     - when:         - key: 'request.regex.headers[username]'
                values:             - "allowed.*"
        selector:     matchLabels:       app: httpbin
      

      the webhook will return:

      Error from server: error when creating "authpolicy.yaml": admission webhook "pilot.validation.istio.io" denied the request: configuration is invalid: invalid condition: unknown attribute (request.regex.headers[username])
      

      Even when circumventing the webhook, pilot does not accept the resource:

      2020-08-07T10:48:50.412255Z	warn	Discarding incoming MCP resource: validation failed (test/new-policy): invalid condition: unknown attribute (request.regex.headers[username])
      

      Attachments

        Activity

          Public project attachment banner

            context keys: [headless, issue, helper, isAsynchronousRequest, project, action, user]
            current Project key: MAISTRA

            People

              gbaufake Guilherme Baufaker RĂªgo (Inactive)
              dgrimm@redhat.com Daniel Grimm
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: