Constraints and Properties

This section contains the supported keys and value formats you can use as constraints and properties in the service roles and service role bindings configuration objects. Constraints and properties are extra conditions you can add as fields in configuration objects with a kind: value of ServiceRole and ServiceRoleBinding to specify detailed access control requirements.

Specifically, you can use constraints to specify extra conditions in the access rule field of a service role. You can use properties to specify extra conditions in the subject field of a service role binding. Istio supports all keys listed on this page for the HTTP protocol but supports only some for the plain TCP protocol.

For more information, refer to the authorization concept page.

Supported Constraints

The following table lists the currently supported keys for the constraints field:

NameDescriptionSupported for TCP servicesKey ExampleValues Example
destination.ipDestination workload instance IP address, supports single IP or CIDRYESdestination.ip["10.1.2.3", "10.2.0.0/16"]
destination.portThe recipient port on the server IP address, must be in the range [0, 65535]YESdestination.port["80", "443"]
destination.labelsA map of key-value pairs attached to the server instanceYESdestination.labels[version]["v1", "v2"]
destination.namespaceDestination workload instance namespaceYESdestination.namespace["default"]
destination.userThe identity of the destination workloadYESdestination.user["bookinfo-productpage"]
experimental.envoy.filters.*Experimental metadata matching for filters, values wrapped in [] are matched as a listYESexperimental.envoy.filters.network.mysql_proxy[db.table]["[update]"]
request.headersHTTP request headers, The actual header name is surrounded by bracketsNOrequest.headers[X-Custom-Token]["abc123"]

Supported Properties

The following table lists the currently supported keys for the properties field:

NameDescriptionSupported for TCP servicesKey ExampleValue Example
source.ipSource workload instance IP address, supports single IP or CIDRYESsource.ip"10.1.2.3"
source.namespaceSource workload instance namespaceYESsource.namespace"default"
source.principalThe identity of the source workloadYESsource.principal"cluster.local/ns/default/sa/productpage"
request.headersHTTP request headers. The actual header name is surrounded by bracketsNOrequest.headers[User-Agent]"Mozilla/*"
request.auth.principalThe authenticated principal of the request.NOrequest.auth.principal"accounts.my-svc.com/104958560606"
request.auth.audiencesThe intended audience(s) for this authentication informationNOrequest.auth.audiences"my-svc.com"
request.auth.presenterThe authorized presenter of the credentialNOrequest.auth.presenter"123456789012.my-svc.com"
request.auth.claimsClaims from the origin JWT. The actual claim name is surrounded by bracketsNOrequest.auth.claims[iss]"*@foo.com"