You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: website/docs/policies/match-conditions.md
+14-1
Original file line number
Diff line number
Diff line change
@@ -4,6 +4,10 @@ You can define match conditions if you need fine-grained request filtering.
4
4
5
5
Match conditions are **CEL expressions**. All match conditions must evaluate to `true` for the request to be evaluated.
6
6
7
+
!!!info
8
+
9
+
Match conditions have access to the same CEL variables as validation expressions.
10
+
7
11
## Example
8
12
9
13
```yaml
@@ -24,4 +28,13 @@ spec:
24
28
In the policy above, the `matchConditions` will be used to deny all requests having the `x-force-deny` header.
25
29
26
30
- If an incoming request doesn't have the `x-force-deny` header, then the condition will return `false` and the policy won't apply
27
-
- If an incoming request has the `x-force-deny` header, then the condition will return `true` and the `deny` rule will deny the request with status code `403`
31
+
- If an incoming request has the `x-force-deny` header, then the condition will return `true` and the `deny` rule will deny the request with status code `403`
32
+
33
+
## Error handling
34
+
35
+
In the event of an error evaluating a match condition the policy is not evaluated. Whether to reject the request is determined as follows:
36
+
37
+
1. If any match condition evaluated to `false` (regardless of other errors), then the policy is skipped.
38
+
1. Otherwise:
39
+
- for `failurePolicy: Fail`, reject the request (without evaluating the policy).
40
+
- for `failurePolicy: Ignore`, proceed with the request but skip the policy.
0 commit comments