Implicit default named patterns of lists of selector, operator and value tuples, to be reused in when conditions and pattern-matching authorization rules.
List of implicit default additional dynamic conditions (expressions) to activate the policy. Use it for filtering attributes that cannot be expressed in the targeted route's spec.hostnames and spec.rules.matches fields, or when targeting a Gateway.
Atomic overrides definitions. This field is mutually exclusive with any of the implicit or explicit default definitions: spec.rules, spec.patterns, spec.when, spec.default
List of additional dynamic conditions (expressions) to activate the policy. Use it for filtering attributes that cannot be expressed in the targeted route's spec.hostnames and spec.rules.matches fields, or when targeting a Gateway.
Authentication rules. At least one config MUST evaluate to a valid identity object for the auth request to be successful. If omitted or empty, anonymous access is assumed.
metadata
MapMetadataRule>
No
Rules for fetching auth metadata from external sources.
authorization
MapAuthorizationRule>
No
Authorization rules. All policies MUST allow access for the auth request be successful.
Customizations to the response to the authorization request. Use it to set custom values for unauthenticated, unauthorized, and/or success access request.
callbacks
MapCallbackRule>
No
Rules for post-authorization callback requests to external services. Triggered regardless of the result of the authorization request.
List of additional dynamic conditions (expressions) to activate the auth rule. Use it for filtering attributes that cannot be expressed in the targeted route's spec.hostnames and spec.rules.matches fields, or when targeting a Gateway.
Caching options for the resolved object returned when applying this auth rule. (Default: disabled)
priority
Integer
No
Priority group of the auth rule. All rules in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. (Default: 0)
metrics
Boolean
No
Whether the auth rule emits individual observability metrics. (Default: false)
Authentication based on API keys stored in Kubernetes secrets. Use one of: apiKey, jwt, oauth2Introspection, kubernetesTokenReview, x509, plain, anonymous.
Authentication based on client X.509 certificates. The certificates presented by the clients must be signed by a trusted CA whose certificates are stored in Kubernetes secrets. Use one of: apiKey, jwt, oauth2Introspection, kubernetesTokenReview, x509, plain, anonymous.
Identity object extracted from the context. Use this method when authentication is performed beforehand by a proxy and the resulting object passed to Authorino as JSON in the auth request. Use one of: apiKey, jwt, oauth2Introspection, kubernetesTokenReview, x509, plain, anonymous.
Customizations to where credentials are required to be passed in the request for authentication based on this auth rule. Defaults to HTTP Authorization header with prefix "Bearer".
Specification of a JSON object. Use one of: plain, json, wristband.
key
String
No
The key used to add the custom response item (name of the HTTP header or root property of the Dynamic Metadata object). Defaults to the name of the response item if omitted.
A valid Well-known attribute whose resolved value in the data plane will be compared to value, using the operator.
operator
String
Yes
The binary operator to be applied to the resolved value specified by the selector. One of: eq (equal to), neq (not equal to), incl (includes; for arrays), excl (excludes; for arrays), matches (regex).
value
String
Yes
The static value to be compared to the one resolved from the selector.
apiVersion:kuadrant.io/v1kind:AuthPolicymetadata:name:my-auth-policyspec:# Reference to an existing networking resource to attach the policy to. REQUIRED.# It can be a Gateway API HTTPRoute, GRPCRoute, or Gateway resource.# It can only refer to objects in the same namespace as the AuthPolicy.targetRef:group:gateway.networking.k8s.iokind:HTTPRoute# or GRPCRoute, Gatewayname:myroute# Additional dynamic conditions to trigger the AuthPolicy.# Use it for filtering attributes not supported by the targeted route's rules or with AuthPolicies that target a Gateway.# Check out https://github.com/Kuadrant/architecture/blob/main/rfcs/0002-well-known-attributes.md to learn more# about the Well-known Attributes that can be used in this field.# Equivalent to if otherwise declared within `defaults`.when:[…]# Sets of common patterns of selector-operator-value triples, to be referred by name in `when` conditions# and pattern-matching rules. Often employed to avoid repetition in the policy.# Equivalent to if otherwise declared within `defaults`.patterns:{…}# The auth rules to apply to the network traffic routed through the targeted resource.# Equivalent to if otherwise declared within `defaults`.rules:# Authentication rules to enforce.# At least one config must evaluate to a valid identity object for the auth request to be successful.# If omitted or empty, anonymous access is assumed.authentication:"my-authn-rule":# The authentication method of this rule.# One-of: apiKey, jwt, oauth2Introspection, kubernetesTokenReview, x509, plain, anonymous.apiKey:{…}# Where credentials are required to be passed in the request for authentication based on this rule.# One-of: authorizationHeader, customHeader, queryString, cookie.credentials:authorizationHeader:prefix:APIKEY# Rule-level additional conditions.when:[…]# Configs for caching the resolved object returned out of evaluating this auth rule.cache:{…}# Rules for fetching auth metadata from external sources.metadata:"my-external-source":# The method for fetching metadata from the external source.# One-of: http: userInfo, uma.http:{…}# Authorization rules to enforce.# All policies must allow access for the auth request be successful.authorization:"my-authz-rule":# The authorization method of this rule.# One-of: patternMatching, opa, kubernetesSubjectAccessReview, spicedb.opa:{…}# Customizations to the authorization response.response:# Custom denial status and other HTTP attributes for unauthenticated requests.unauthenticated:{…}# Custom denial status and other HTTP attributes for unauhtorized requests.unauthorized:{…}# Custom response items when access is granted.success:# Custom response items wrapped as HTTP headers to be injected in the requestheaders:"my-custom-header":# One-of: plain, json, wristband.plain:{…}# Custom response items wrapped as envoy dynamic metadata.dynamicMetadata:# One-of: plain, json, wristband."my-custom-dyn-metadata":json:{…}# Rules for post-authorization callback requests to external services.# Triggered regardless of the result of the authorization request.callbacks:"my-webhook":http:{…}# Explicit defaults. Used in policies that target a Gateway object to express default rules to be enforced on# routes that lack a more specific policy attached to.# Mutually exclusive with `overrides` and with declaring the `rules`, `when` and `patterns` at the top-level of# the spec.defaults:rules:authentication:{…}metadata:{…}authorization:{…}response:{…}callbacks:{…}when:[…]patterns:{…}# Overrides. Used in policies that target a Gateway object to be enforced on all routes linked to the gateway,# thus also overriding any more specific policy occasionally attached to any of those routes.# Mutually exclusive with `defaults` and with declaring `rules`, `when` and `patterns` at the top-level of# the spec.overrides:rules:authentication:{…}metadata:{…}authorization:{…}response:{…}callbacks:{…}when:[…]patterns:{…}