You can define match conditions if you need fine-grained request filtering.
Match conditions are CEL expressions. All match conditions must evaluate to true for the request to be evaluated.
!!!info
The policy [variables](./variables.md) will NOT be available in match conditions because they are evaluated before the rest of the policy.
apiVersion: envoy.kyverno.io/v1alpha1
kind: AuthorizationPolicy
metadata:
name: demo
spec:
failurePolicy: Fail
matchConditions:
- name: has-header
expression: object.attributes.request.http.headers[?"x-force-deny"].hasValue()
deny:
- response: >
envoy.Denied(403).Response()In the policy above, the matchConditions will be used to deny all requests having the x-force-deny header.
- If an incoming request doesn't have the
x-force-denyheader, then the condition will returnfalseand the policy won't apply - If an incoming request has the
x-force-denyheader, then the condition will returntrueand thedenyrule will deny the request with status code403
In the event of an error evaluating a match condition the policy is not evaluated. Whether to reject the request is determined as follows:
- If any match condition evaluated to
false(regardless of other errors), then the policy is skipped. - Otherwise:
- for
failurePolicy: Fail, reject the request (without evaluating the policy). - for
failurePolicy: Ignore, proceed with the request but skip the policy.
- for