Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Admission webhook doesn't allow to create AuthorizationPolicy with request.regex.headers condition #155

Closed
danila-trushin opened this issue Jul 30, 2020 · 1 comment
Closed

Admission webhook doesn't allow to create AuthorizationPolicy with request.regex.headers condition #155

danila-trushin opened this issue Jul 30, 2020 · 1 comment

Comments

@danila-trushin
Copy link

danila-trushin commented Jul 30, 2020
edited

Bug description
admission webhook "pilot.validation.istio.io" denied the request: configuration is invalid: invalid condition: unknown attribute (request.regex.headers[x-forwarded-client-cert])

Affected product area (please put an X in all that apply)

[ ] Configuration Infrastructure
[ ] Docs
[ ] Installation
[ ] Networking
[ ] Performance and Scalability
[ ] Policies and Telemetry
[X] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure

Affected features (please put an X in all that apply)

Expected behavior
According to MAISTRA-224 feature there should be availability to specify when condition in AuthorizationPolicy like:

spec:
  rules:
    - when:
        - key: 'request.regex.headers[x-forwarded-client-cert]'
          values: 
            - "foo-[0-9].*"

It's necessary to authorize external consumers on istio-proxy sidecars.

Steps to reproduce the bug
Create AuthorizationPolicy:

oc apply -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: new-policy
spec:
  rules:
    - when:
        - key: 'request.regex.headers[x-forwarded-client-cert]'
          values:
            - "foo-[0-9].*"
  selector:
    matchLabels:
      app: simple-server
EOF

Get error:
Error from server: error when creating "STDIN": admission webhook "pilot.validation.istio.io" denied the request: configuration is invalid: invalid condition: unknown attribute (request.regex.headers[x-forwarded-client-cert])

Version (include the output of istioctl version --remote and kubectl version and helm version if you used Helm)
OSE 4.3 ServiceMesh 1.1.3

How was Istio installed?

Environment where bug was observed (cloud vendor, OS, etc)

It seems it was forgotten to add request.regex.headers case into istio/pkg/config/security/security.go although it exist in istio/pilot/pkg/security/authz/model
@danila-trushin danila-trushin changed the title Validation webhook doesn't allow to create AuthorizationPolicy with request.regex.headers condition Admission webhook doesn't allow to create AuthorizationPolicy with request.regex.headers condition Jul 30, 2020
@dgn
Copy link
Contributor

dgn commented Aug 7, 2020

Thank you very much for the report @danila-trushin!

We're tracking issues on Jira, which is why this has gone unnoticed for a few days. I created MAISTRA-1739 to track this bug and moved it into the bucket for the next bugfix release. I'm closing this issue in favor of the Jira issue.

@dgn dgn closed this as completed Aug 7, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dgn @danila-trushin