You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Get error:
Error from server: error when creating "STDIN": admission webhook "pilot.validation.istio.io" denied the request: configuration is invalid: invalid condition: unknown attribute (request.regex.headers[x-forwarded-client-cert])
Version (include the output of istioctl version --remote and kubectl version and helm version if you used Helm)
OSE 4.3 ServiceMesh 1.1.3
How was Istio installed?
Environment where bug was observed (cloud vendor, OS, etc)
It seems it was forgotten to add request.regex.headers case into istio/pkg/config/security/security.go although it exist in istio/pilot/pkg/security/authz/model
The text was updated successfully, but these errors were encountered:
danila-trushin
changed the title
Validation webhook doesn't allow to create AuthorizationPolicy with request.regex.headers condition
Admission webhook doesn't allow to create AuthorizationPolicy with request.regex.headers condition
Jul 30, 2020
We're tracking issues on Jira, which is why this has gone unnoticed for a few days. I created MAISTRA-1739 to track this bug and moved it into the bucket for the next bugfix release. I'm closing this issue in favor of the Jira issue.
Bug description
admission webhook "pilot.validation.istio.io" denied the request: configuration is invalid: invalid condition: unknown attribute (request.regex.headers[x-forwarded-client-cert])
Affected product area (please put an X in all that apply)
[ ] Configuration Infrastructure
[ ] Docs
[ ] Installation
[ ] Networking
[ ] Performance and Scalability
[ ] Policies and Telemetry
[X] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
Affected features (please put an X in all that apply)
Expected behavior
According to MAISTRA-224 feature there should be availability to specify when condition in AuthorizationPolicy like:
It's necessary to authorize external consumers on istio-proxy sidecars.
Steps to reproduce the bug
Create AuthorizationPolicy:
Get error:
Error from server: error when creating "STDIN": admission webhook "pilot.validation.istio.io" denied the request: configuration is invalid: invalid condition: unknown attribute (request.regex.headers[x-forwarded-client-cert])
Version (include the output of
istioctl version --remote
andkubectl version
andhelm version
if you used Helm)OSE 4.3 ServiceMesh 1.1.3
How was Istio installed?
Environment where bug was observed (cloud vendor, OS, etc)
It seems it was forgotten to add request.regex.headers case into istio/pkg/config/security/security.go although it exist in istio/pilot/pkg/security/authz/model
The text was updated successfully, but these errors were encountered: