AuthorizationPolicy (deprecated)¶
Deprecation
AuthorizationPolicy is deprecated and will be removed in the next release.
A Kyverno AuthorizationPolicy is a custom Kubernetes resources and can be easily managed via Kubernetes APIs, GitOps workflows, and other existing tools.
Resource Scope¶
A Kyverno AuthorizationPolicy is a cluster-wide resource.
API Group and Kind¶
An AuthorizationPolicy belongs to the envoy.kyverno.io/v1alpha1 group and can only be of kind AuthorizationPolicy.
apiVersion: envoy.kyverno.io/v1alpha1
kind: AuthorizationPolicy
metadata:
name: demo
spec:
# if something fails the request will be denied
failurePolicy: Fail
variables:
# `force_authorized` references the 'x-force-authorized' header
# from the envoy check request (or '' if not present)
- name: force_authorized
expression: object.attributes.request.http.headers[?"x-force-authorized"].orValue("")
# `allowed` will be `true` if `variables.force_authorized` has the
# value 'enabled' or 'true'
- name: allowed
expression: variables.force_authorized in ["enabled", "true"]
deny:
# make an authorisation decision based on the value of `variables.allowed`
- match: >
!variables.allowed
response: >
envoy.Denied(403).Response()
allow:
- response: >
envoy.Allowed().Response()
Envoy External Authorization¶
The Kyverno Authz Server implements the Envoy External Authorization API.
A Kyverno AuthorizationPolicy analyses an Envoy CheckRequest and can make a decision by returning a CheckResponse.
CEL language¶
An AuthorizationPolicy uses the CEL language to process the CheckRequest sent by Envoy.
CEL is an expression language that’s fast, portable, and safe to execute in performance-critical applications.
Policy structure¶
A Kyverno AuthorizationPolicy is made of:
- A failure policy
- Match conditions if needed
- Eventually some variables
- The authorization rules