Istio AuthorizationPolicy with Wildcard

Question

Does authorizationpolicy not supports any wildcard pattern on paths?

I have the following endpoints:

/my-service/docs/active (GET)
/my-service/docs/<id>/activate/<bool> (PUT)

The first one will get all active docs, and second will activate/deactivate the specific doc. I’ve tried to set it on the authorizationpolicy and it seems to ignore this policy due to willdcard.

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: my-service-private
  namespace: default
spec:
  action: DENY
  selector:
    matchLabels:
      app:my-service
  rules:
    - from:
        - source:
            notNamespaces: [ "default" ]
      to:
        - operation:
            methods: ["GET"]
            paths: ["/my-service/docs/active"]
        - operation:
            methods: ["PUT"]
            paths: ["/my-service/docs/*/activate/*"]  

any different solution here except updating all my endpoints?

10x

Answer 1

As I mentioned in comments

According to istio documentation:

Rule

Rule matches requests from a list of sources that perform a list of operations subject to a list of conditions. A match occurs when at least one source, operation and condition matches the request. An empty rule is always matched.

Any string field in the rule supports Exact, Prefix, Suffix and Presence match:

• Exact match: “abc” will match on value “abc”.
• Prefix match: “abc*” will match on value “abc” and “abcd”.
• Suffix match: “*abc” will match on value “abc” and “xabc”.
• Presence match: “*” will match when value is not empty.

So Authorization Policy does support wildcard, but I think the issue is with the */activate/* path, because paths can use wildcards only at the start, end or whole string, double wildcard just doesn't work.

There are related open github issues about that:

• https://github.com/istio/istio/issues/16585
• https://github.com/istio/istio/issues/25021