Skip to content

Add trustDomains and notTrustDomains to AuthzPolicy source#3665

Open
ymesika wants to merge 2 commits intoistio:masterfrom
ymesika:ap-trust-domain-source
Open

Add trustDomains and notTrustDomains to AuthzPolicy source#3665
ymesika wants to merge 2 commits intoistio:masterfrom
ymesika:ap-trust-domain-source

Conversation

@ymesika
Copy link
Member

@ymesika ymesika commented Mar 9, 2026

This PR introduces trustDomains and notTrustDomains fields to the AuthorizationPolicy Source rule.
This allows users to accurately and safely match against the identity's trust domain without resorting to potentially error-prone glob-style matching on the full principal URI.

This proposal is fully backward compatible. The addition of optional fields will not impact existing AuthorizationPolicy resources that do not use the new trustDomains fields.

Example:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allow-some-trust-domains
  namespace: default
spec:
  action: ALLOW
  rules:
  - from:
    - source:
        trustDomains: ["cluster1.local", "cluster2.local"]

Or:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allow-all-but-specific
  namespace: default
spec:
  action: ALLOW
  rules:
  - from:
    - source:
        notTrustDomains: ["not.trust.domain"]

@ymesika ymesika requested a review from a team as a code owner March 9, 2026 12:31
@istio-policy-bot
Copy link

istio-policy-bot commented Mar 9, 2026

😊 Welcome @ymesika! This is either your first contribution to the Istio api repo, or it's been
a while since you've been here.

You can learn more about the Istio working groups, Code of Conduct, and contribution guidelines
by referring to Contributing to Istio.

Thanks for contributing!

Courtesy of your friendly welcome wagon.

@istio-testing istio-testing added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Mar 9, 2026
@ymesika ymesika mentioned this pull request Mar 9, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

size/S Denotes a PR that changes 10-29 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ymesika @istio-policy-bot @istio-testing