Skip to content

The AuthPolicy Custom Resource Definition (CRD)

AuthPolicy

Field Type Required Description
spec AuthPolicySpec Yes The specification for AuthPolicy custom resource
status AuthPolicyStatus No The status for the custom resource

AuthPolicySpec

Field Type Required Description
targetRef LocalPolicyTargetReference Yes Reference to a Kubernetes resource that the policy attaches to
rules AuthScheme No Implicit default authentication/authorization rules
routeSelectors []RouteSelector No List of implicit default selectors of HTTPRouteRules whose matching rules activate the policy. At least one HTTPRouteRule must be selected to activate the policy. If omitted, all HTTPRouteRules of the targeted HTTPRoute activate the policy. Do not use it in policies targeting a Gateway.
patterns MapNamedPattern> No Implicit default named patterns of lists of selector, operator and value tuples, to be reused in when conditions and pattern-matching authorization rules.
when []PatternExpressionOrRef No List of implicit default additional dynamic conditions (expressions) to activate the policy. Use it for filtering attributes that cannot be expressed in the targeted HTTPRoute's spec.hostnames and spec.rules.matches fields, or when targeting a Gateway.
defaults AuthPolicyCommonSpec No Explicit default definitions. This field is mutually exclusive with any of the implicit default definitions: spec.rules, spec.routeSelectors, spec.patterns, spec.when
overrides AuthPolicyCommonSpec No Atomic overrides definitions. This field is mutually exclusive with any of the implicit or explicit default definitions: spec.rules, spec.routeSelectors, spec.patterns, spec.when, spec.default

AuthPolicyCommonSpec

Field Type Required Description
rules AuthScheme No Authentication/authorization rules
routeSelectors []RouteSelector No List of selectors of HTTPRouteRules whose matching rules activate the policy. At least one HTTPRouteRule must be selected to activate the policy. If omitted, all HTTPRouteRules of the targeted HTTPRoute activate the policy. Do not use it in policies targeting a Gateway.
patterns MapNamedPattern> No Named patterns of lists of selector, operator and value tuples, to be reused in when conditions and pattern-matching authorization rules.
when []PatternExpressionOrRef No List of additional dynamic conditions (expressions) to activate the policy. Use it for filtering attributes that cannot be expressed in the targeted HTTPRoute's spec.hostnames and spec.rules.matches fields, or when targeting a Gateway.

AuthScheme

Field Type Required Description
authentication MapAuthenticationRule> No Authentication rules. At least one config MUST evaluate to a valid identity object for the auth request to be successful. If omitted or empty, anonymous access is assumed.
metadata MapMetadataRule> No Rules for fetching auth metadata from external sources.
authorization MapAuthorizationRule> No Authorization rules. All policies MUST allow access for the auth request be successful.
response ResponseSpec No Customizations to the response to the authorization request. Use it to set custom values for unauthenticated, unauthorized, and/or success access request.
callbacks MapCallbackRule> No Rules for post-authorization callback requests to external services. Triggered regardless of the result of the authorization request.

AuthRuleCommon

Field Type Required Description
routeSelectors []RouteSelector No List of selectors of HTTPRouteRules whose matching rules activate the auth rule. At least one HTTPRouteRule must be selected to activate the auth rule. If omitted, the auth rule is activated at all requests where the policy is enforced. Do not use it in policies targeting a Gateway.
when []PatternExpressionOrRef No List of additional dynamic conditions (expressions) to activate the auth rule. Use it for filtering attributes that cannot be expressed in the targeted HTTPRoute's spec.hostnames and spec.rules.matches fields, or when targeting a Gateway.
cache Caching spec No Caching options for the resolved object returned when applying this auth rule. (Default: disabled)
priority Integer No Priority group of the auth rule. All rules in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. (Default: 0)
metrics Boolean No Whether the auth rule emits individual observability metrics. (Default: false)

AuthenticationRule

Field Type Required Description
apiKey API Key authentication spec No Authentication based on API keys stored in Kubernetes secrets. Use one of: apiKey, jwt, oauth2Introspection, kubernetesTokenReview, x509, plain, anonymous.
kubernetesTokenReview KubernetesTokenReview spec No Authentication by Kubernetes token review. Use one of: apiKey, jwt, oauth2Introspection, kubernetesTokenReview, x509, plain, anonymous.
jwt JWT verification spec No Authentication based on JSON Web Tokens (JWT). Use one of: apiKey, jwt, oauth2Introspection, kubernetesTokenReview, x509, plain, anonymous.
oauth2Introspection OAuth2 Token Introscpection spec No Authentication by OAuth2 token introspection. Use one of: apiKey, jwt, oauth2Introspection, kubernetesTokenReview, x509, plain, anonymous.
x509 X.509 authentication spec No Authentication based on client X.509 certificates. The certificates presented by the clients must be signed by a trusted CA whose certificates are stored in Kubernetes secrets. Use one of: apiKey, jwt, oauth2Introspection, kubernetesTokenReview, x509, plain, anonymous.
plain Plain identity object spec No Identity object extracted from the context. Use this method when authentication is performed beforehand by a proxy and the resulting object passed to Authorino as JSON in the auth request. Use one of: apiKey, jwt, oauth2Introspection, kubernetesTokenReview, x509, plain, anonymous.
anonymous Anonymous access No Anonymous access. Use one of: apiKey, jwt, oauth2Introspection, kubernetesTokenReview, x509, plain, anonymous.
credentials Auth credentials spec No Customizations to where credentials are required to be passed in the request for authentication based on this auth rule. Defaults to HTTP Authorization header with prefix "Bearer".
overrides Identity extension spec No JSON overrides to set to the resolved identity object. Do not use it with identity objects of other JSON types (array, string, etc).
defaults Identity extension spec No JSON defaults to set to the resolved identity object. Do not use it with identity objects of other JSON types (array, string, etc).
(inline) AuthRuleCommon No

MetadataRule

Field Type Required Description
http HTTP GET/GET-by-POST external metadata spec No External source of auth metadata via HTTP request. Use one of: http, userInfo, uma.
userInfo OIDC UserInfo spec No OpendID Connect UserInfo linked to an OIDC authentication rule declared in this same AuthPolicy. Use one of: http, userInfo, uma.
uma UMA metadata spec No User-Managed Access (UMA) source of resource data. Use one of: http, userInfo, uma.
(inline) AuthRuleCommon No

AuthorizationRule

Field Type Required Description
patternMatching Pattern-matching authorization spec No Pattern-matching authorization rules. Use one of: patternMatching, opa, kubernetesSubjectAccessReview, spicedb.
opa OPA authorization spec No Open Policy Agent (OPA) Rego policy. Use one of: patternMatching, opa, kubernetesSubjectAccessReview, spicedb.
kubernetesSubjectAccessReview Kubernetes SubjectAccessReview spec No Authorization by Kubernetes SubjectAccessReview. Use one of: patternMatching, opa, kubernetesSubjectAccessReview, spicedb.
spicedb SpiceDB authorization spec No Authorization decision delegated to external Authzed/SpiceDB server. Use one of: patternMatching, opa, kubernetesSubjectAccessReview, spicedb.
(inline) AuthRuleCommon No

ResponseSpec

Field Type Required Description
unauthenticated Custom denial status spec No Customizations on the denial status and other HTTP attributes when the request is unauthenticated. (Default: 401 Unauthorized)
unauthorized Custom denial status spec No Customizations on the denial status and other HTTP attributes when the request is unauthorized. (Default: 403 Forbidden)
success SuccessResponseSpec No Response items to be included in the auth response when the request is authenticated and authorized.
SuccessResponseSpec
Field Type Required Description
headers MapSuccessResponseItem> No Custom success response items wrapped as HTTP headers to be injected in the request.
dynamicMetadata MapSuccessResponseItem> No Custom success response items wrapped as Envoy Dynamic Metadata. Use it to pass data along to other proxy filters, such as the rate-limit filter.
SuccessResponseItem
Field Type Required Description
plain Plain text response item No Plain text content. Use one of: plain, json, wristband.
json JSON injection response item No Specification of a JSON object. Use one of: plain, json, wristband.
wristband Festival Wristband token response item No Specification of a JSON object. Use one of: plain, json, wristband.
key String No The key used to add the custom response item (name of the HTTP header or root property of the Dynamic Metadata object). Defaults to the name of the response item if omitted.

CallbackRule

Field Type Required Description
http HTTP endpoints callback spec No HTTP endpoint settings to build the callback request (webhook).
(inline) AuthRuleCommon No

NamedPattern

Field Type Required Description
selector String Yes A valid Well-known attribute whose resolved value in the data plane will be compared to value, using the operator.
operator String Yes The binary operator to be applied to the resolved value specified by the selector. One of: eq (equal to), neq (not equal to), incl (includes; for arrays), excl (excludes; for arrays), matches (regex).
value String Yes The static value to be compared to the one resolved from the selector.

AuthPolicyStatus

Field Type Description
observedGeneration String Number of the last observed generation of the resource. Use it to check if the status info is up to date with latest resource spec.
conditions []ConditionSpec List of conditions that define that status of the resource.

ConditionSpec

  • The lastTransitionTime field provides a timestamp for when the entity last transitioned from one status to another.
  • The message field is a human-readable message indicating details about the transition.
  • The reason field is a unique, one-word, CamelCase reason for the condition’s last transition.
  • The status field is a string, with possible values True, False, and Unknown.
  • The type field is a string with the following possible values:
  • Available: the resource has successfully configured;
Field Type Description
type String Condition Type
status String Status: True, False, Unknown
reason String Condition state reason
message String Condition state description
lastTransitionTime Timestamp Last transition timestamp