istio

1
name: envoy.filters.http.ext_authz
2
typedConfig:
3
  '@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
4
  allowedHeaders:
5
    patterns:
6
    - exact: x-custom-id
7
      ignoreCase: true
8
    - ignoreCase: true
9
      prefix: x-prefix-
10
    - ignoreCase: true
11
      suffix: -suffix
12
  failureModeAllow: true
13
  filterEnabledMetadata:
14
    filter: envoy.filters.http.rbac
15
    path:
16
    - key: istio_ext_authz_shadow_effective_policy_id
17
    value:
18
      stringMatch:
19
        prefix: istio-ext-authz
20
  httpService:
21
    authorizationRequest:
22
      headersToAdd:
23
      - key: x-header-1
24
        value: value-1
25
      - key: x-header-2
26
        value: value-2
27
    authorizationResponse:
28
      allowedClientHeaders:
29
        patterns:
30
        - exact: Set-cookie
31
          ignoreCase: true
32
        - ignoreCase: true
33
          prefix: x-prefix-
34
        - ignoreCase: true
35
          suffix: -suffix
36
      allowedClientHeadersOnSuccess:
37
        patterns:
38
        - exact: Set-cookie
39
          ignoreCase: true
40
        - ignoreCase: true
41
          prefix: x-prefix-
42
        - ignoreCase: true
43
          suffix: -suffix
44
      allowedUpstreamHeaders:
45
        patterns:
46
        - exact: Authorization
47
          ignoreCase: true
48
        - ignoreCase: true
49
          prefix: x-prefix-
50
        - ignoreCase: true
51
          suffix: -suffix
52
    pathPrefix: /check
53
    serverUri:
54
      cluster: outbound|9000||my-custom-ext-authz.foo.svc.cluster.local
55
      timeout: 10s
56
      uri: http://my-custom-ext-authz.foo.svc.cluster.local
57
  statusOnError:
58
    code: Forbidden
59
  transportApiVersion: V3
60
  withRequestBody:
61
    allowPartialMessage: true
62
    maxRequestBytes: 2048
63
    packAsBytes: true
64