The following is my Istio AuthorizationPolicy:
kind: AuthorizationPolicy
apiVersion: security.istio.io/v1
metadata:
name: my-policy
namespace: my-ns
spec:
action: ALLOW
rules:
- to:
- operation:
paths:
- /*
when:
- key: 'request.headers[x-forwarded-client-cert]'
values:
- *Source Sender*
selector:
matchLabels:
app: my-api
My x-forwarded-client-cert header looks like this (it is not a simple key-value like name=foo):
Headers: {host=test.com, accept=text/plain, application/json, application/*+json, */*, content-type=application/json, x-forwarded-client-cert=Hash=xyz;Subject="CN=Source Sender,L=Source Sender,OU=123,OU=Dev,OU=Test,O=Test,C=IN";URI=,x-num=1}
How can I fix my AuthorizationPolicy? I just want to match on the CN value which is part of the x-forwarded-client-cert.
Finally, I found a solution to this.
As of date, it is not possible to match on a "substring" in Istio's AuthorizationPolicy. You can either match with a prefix (e.g "abc*") or suffix ("*abc") but not something in the middle (e.g * abc *).
To solve this, I used an envoyFilter to generate a custom header which only contains the exact header value to match against and then used the same in the AuthorizationPolicy.