Skip to content

Variables

A Kyverno AuthorizationPolicy can define variables that will be made available to all authorization rules.

Variables can be used in composition of other expressions. Each variable is defined as a named CEL expression. The will be available under variables in other expressions of the policy.

The expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, variables must be sorted by the order of first appearance and acyclic.

Info

The incoming CheckRequest from Envoy is made available to the policy under the object identifier.

Variables

apiVersion: envoy.kyverno.io/v1alpha1
kind: AuthorizationPolicy
metadata:
  name: demo
spec:
  failurePolicy: Fail
  variables:
    # `force_authorized` references the 'x-force-authorized' header
    # from the envoy check request (or '' if not present)
  - name: force_authorized
    expression: object.attributes.request.http.headers[?"x-force-authorized"].orValue("")
    # `allowed` will be `true` if `variables.force_authorized` has the
    # value 'enabled' or 'true'
  - name: allowed
    expression: variables.force_authorized in ["enabled", "true"]
  deny:
    # make an authorisation decision based on the value of `variables.allowed`
  - match: >
      !variables.allowed
    response: >
      envoy.Denied(403).Response()