kyverno · eddycharly · Jan 3, 2025 · Jan 3, 2025 · Jan 3, 2025 · Jan 3, 2025
@@ -55,5 +55,6 @@ CEL is an expression language that’s fast, portable, and safe to execute in pe
 A Kyverno `AuthorizationPolicy` is made of:
 
 - A [failure policy](./failure-policy.md)
+- [Match conditions](./match-conditions.md) if needed
 - Eventually some [variables](./variables.md)
 - The [authorization rules](./authorization-rules.md)
@@ -0,0 +1,27 @@
+# Match conditions
+
+You can define match conditions if you need fine-grained request filtering.
+
+Match conditions are **CEL expressions**. All match conditions must evaluate to `true` for the request to be evaluated.
+
+## Example
+
+```yaml
+apiVersion: envoy.kyverno.io/v1alpha1
+kind: AuthorizationPolicy
+metadata:
+  name: demo
+spec:
+  failurePolicy: Fail
+  matchConditions:
+  - name: has-header
+    expression: has(object.attributes.request.http.headers["x-force-deny"])
+  deny:
+  - response: >
+      envoy.Denied(403).Response()
+```
+
+In the policy above, the `matchConditions` will be used to deny all requests having the `x-force-deny` header.
+
+- If an incoming request doesn't have the `x-force-deny` header the condition will return `false` and the policy won't apply
+- If an incoming request has the `x-force-deny` header the condition will return `true` and the `deny` rule will deny the request with status code `403`
@@ -10,6 +10,7 @@ nav:
 - Policies:
   - policies/index.md
   - policies/failure-policy.md
+  - policies/match-conditions.md
   - policies/variables.md
   - policies/authorization-rules.md
 - Reference: