From af41e321c07ae17fa0d098dec1d1ba4af320d81b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Fri, 3 Jan 2025 12:06:23 +0100 Subject: [PATCH 1/2] docs: add more infos to match conditions docs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Charles-Edouard Brétéché --- website/docs/policies/match-conditions.md | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/website/docs/policies/match-conditions.md b/website/docs/policies/match-conditions.md index aad9ad3..3c80fe8 100644 --- a/website/docs/policies/match-conditions.md +++ b/website/docs/policies/match-conditions.md @@ -4,6 +4,10 @@ You can define match conditions if you need fine-grained request filtering. Match conditions are **CEL expressions**. All match conditions must evaluate to `true` for the request to be evaluated. +!!!info + + Match conditions have access to the same CEL variables as validation expressions. + ## Example ```yaml @@ -24,4 +28,13 @@ spec: In the policy above, the `matchConditions` will be used to deny all requests having the `x-force-deny` header. - If an incoming request doesn't have the `x-force-deny` header, then the condition will return `false` and the policy won't apply -- If an incoming request has the `x-force-deny` header, then the condition will return `true` and the `deny` rule will deny the request with status code `403` \ No newline at end of file +- If an incoming request has the `x-force-deny` header, then the condition will return `true` and the `deny` rule will deny the request with status code `403` + +## Error handling + +In the event of an error evaluating a match condition the policy is not evaluated. Whether to reject the request is determined as follows: + +1. If any match condition evaluated to `false` (regardless of other errors), the policy is skipped. +1. Otherwise: + - for `failurePolicy: Fail`, reject the request (without evaluating the policy). + - for `failurePolicy: Ignore`, proceed with the request but skip the policy. From a6f8f1de884cd6808e35085ea6fbb25e7b530886 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Fri, 3 Jan 2025 12:21:35 +0100 Subject: [PATCH 2/2] Update website/docs/policies/match-conditions.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Vishal Choudhary Signed-off-by: Charles-Edouard Brétéché --- website/docs/policies/match-conditions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/docs/policies/match-conditions.md b/website/docs/policies/match-conditions.md index 3c80fe8..0ba6616 100644 --- a/website/docs/policies/match-conditions.md +++ b/website/docs/policies/match-conditions.md @@ -34,7 +34,7 @@ In the policy above, the `matchConditions` will be used to deny all requests hav In the event of an error evaluating a match condition the policy is not evaluated. Whether to reject the request is determined as follows: -1. If any match condition evaluated to `false` (regardless of other errors), the policy is skipped. +1. If any match condition evaluated to `false` (regardless of other errors), then the policy is skipped. 1. Otherwise: - for `failurePolicy: Fail`, reject the request (without evaluating the policy). - for `failurePolicy: Ignore`, proceed with the request but skip the policy.