authservice icon indicating copy to clipboard operation
authservice copied to clipboard

Published 20 hours ago verified publisher icon istio-ecosystem

regex matcher on filter chain matching

Open Shikugawa opened this issue 3 years ago • 2 comments

This is related with https://github.com/istio-ecosystem/authservice/issues/140

The current filter chain matches by prefix or equality, but matching by regular expression will make the rules more expressive. For example, a use case could require authentication if the service is hoge1.test.com and hoge2.test.com.

Shikugawa avatar Oct 14 '21 03:10 Shikugawa

configuration with regex can be complicated. Istio has long discussion around support for regex in authz policy, but does not introduce due to the complexity. Also we'll have to dig deep when regex can be subjected to the CVE issues. See https://istio.io/latest/news/security/istio-security-2019-003/ for an example.

incfly avatar Oct 19 '21 05:10 incfly

#140 iteself can be supported with a new knob to deny by default if not match. Right?

incfly avatar Oct 19 '21 05:10 incfly