Skip to content

Add trustDomains and notTrustDomains to AuthzPolicy source#3665

Merged
istio-testing merged 2 commits intoistio:masterfrom
ymesika:ap-trust-domain-source
Mar 17, 2026
Merged

Add trustDomains and notTrustDomains to AuthzPolicy source#3665
istio-testing merged 2 commits intoistio:masterfrom
ymesika:ap-trust-domain-source

Conversation

@ymesika
Copy link
Member

@ymesika ymesika commented Mar 9, 2026

This PR introduces trustDomains and notTrustDomains fields to the AuthorizationPolicy Source rule.
This allows users to accurately and safely match against the identity's trust domain without resorting to potentially error-prone glob-style matching on the full principal URI.

This proposal is fully backward compatible. The addition of optional fields will not impact existing AuthorizationPolicy resources that do not use the new trustDomains fields.

Example:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allow-some-trust-domains
  namespace: default
spec:
  action: ALLOW
  rules:
  - from:
    - source:
        trustDomains: ["cluster1.local", "cluster2.local"]

Or:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allow-all-but-specific
  namespace: default
spec:
  action: ALLOW
  rules:
  - from:
    - source:
        notTrustDomains: ["not.trust.domain"]

@ymesika ymesika requested a review from a team as a code owner March 9, 2026 12:31
@istio-policy-bot
Copy link

istio-policy-bot commented Mar 9, 2026

😊 Welcome @ymesika! This is either your first contribution to the Istio api repo, or it's been
a while since you've been here.

You can learn more about the Istio working groups, Code of Conduct, and contribution guidelines
by referring to Contributing to Istio.

Thanks for contributing!

Courtesy of your friendly welcome wagon.

@istio-testing istio-testing added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Mar 9, 2026
@ymesika ymesika mentioned this pull request Mar 9, 2026
Open
keithmattix
keithmattix reviewed Mar 17, 2026
View reviewed changes
security/v1beta1/authorization_policy.proto
// +cue-gen:AuthorizationPolicy:releaseChannel:extended
repeated string trust_domains = 13;

// Optional. A list of negative match of trust domains.
Copy link
Contributor

@keithmattix keithmattix Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What are the semantics of notTrustDomains is set but the connection doesn't have mTLS enabled?

Copy link
Member Author

@ymesika ymesika Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's the same trap as notPrinicipals/notNamespaces.
For those, in positive values we have a comment that it requires mTLS and I also added it (https://github.com/ymesika/api/blob/a23a5bc7d3b28a0ca57056462867817b380479c7/security/v1beta1/authorization_policy.proto#L512) but we lack this comment on the negative ones.
I tried to be consistent with them.

Copy link
Member Author

@ymesika ymesika Mar 17, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BTW, for all those negative forms when mTLS is absent, not_* will trivially pass (empty string doesn't match any specified value), potentially allowing unauthenticated traffic through.

security/v1beta1/authorization_policy.proto
repeated string not_remote_ip_blocks = 10;

// Optional. A list of trust domains derived from the peer certificate.
// Can be exact, prefix, suffix and presence.
Copy link
Contributor

@keithmattix keithmattix Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Based on the example, it seems like it's more global based with * vs an envoy string matcher type of API. Does it only match whole components of a SPIFFE URI? Can you do, eg "fo*-bar"?

Copy link
Member Author

@ymesika ymesika Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The matching semantics are clearly documented above. The trustdomains field supports the same pattern matching as all other string fields in the rule (suffix, prefix, exact or presence).
So no, you cannot do fo*-bar. But that's something to keep in mind to validate in the impl.

Copy link
Contributor

@keithmattix keithmattix Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ack, thanks for the pointer

@istio-testing istio-testing merged commit c9c12d8 into istio:master Mar 17, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@keithmattix keithmattix keithmattix approved these changes

@dgn dgn dgn approved these changes

Assignees

No one assigned

Labels

size/S Denotes a PR that changes 10-29 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ymesika @istio-policy-bot @keithmattix @dgn @istio-testing