Package : security.policy.gloo.solo.io



Table of Contents


ExtAuthPolicy is used to enforce external authorization/authentication of traffic matching selected routes or arriving at selected destinations. All ExtAuthPolicies in a workspace require an ExtAuthServer to in order to function. If no ExtAuthServer is specified, a default configuration will be used. ExtAuthRoutePolicies can be applied at both the Route and Destination levels. Default is to apply policy to all destinations.

Field Type Label Description
applyToRoutes []common.gloo.solo.io.RouteSelector repeated Select the routes where the policy will be applied. If left empty, no extauth policy will be applied to any routes in the workspace.
applyToDestinations []common.gloo.solo.io.DestinationSelector repeated Select the destinations where the policy will be applied. Default behavior if no selectors are specified is to apply to all destinations in the workspace. If left empty and the route selector is set, no extauth policy on destinations will be applied.
config security.policy.gloo.solo.io.ExtAuthPolicySpec.Config The details of the external auth policy to apply to the selected routes and destinations.


Make sure to select the appropriate ExtAuthServer to use, which might be in a different cluster and namespace than the ExtAuthPolicy. For auth configurations that require a client secret from the identity provider issuer, the secret must be in the same cluster as the ExtAuthServer resource.

Field Type Label Description
disable bool Set to true to disable auth on the route.
glooAuth enterprise.gloo.solo.io.AuthConfigSpec Configure the selected route or destination with auth options provided by the Gloo Mesh Ext Auth service. The Ext Auth Service can be specified must be configured to use a Gloo Ext Auth service via a ExtAuthDestinationPolicy.
customAuth security.policy.gloo.solo.io.ExtAuthPolicySpec.Config.CustomAuth Use this field if you are running your own custom extauth server. The destination service must be configured to use a custom ext auth service via a ExtAuthDestinationPolicy.
server common.gloo.solo.io.ObjectReference reference to the ExtAuthServer to use for this policy. Currently routes on a single gateway must share a single ExtAuthServer. If none is provided, the default Gloo ExtAuthServer will be used.


Gloo Mesh is not expected to configure the ext auth server in this case. This is used with custom auth servers.

Field Type Label Description
contextExtensions []security.policy.gloo.solo.io.ExtAuthPolicySpec.Config.CustomAuth.ContextExtensionsEntry repeated When a request matches the route or on which this configuration is applied, Gloo Mesh will add the given context_extensions to the request that is sent to the external authorization server. This allows the server to base the auth decision on metadata that you define on the source of the request.
This attribute is analogous to Envoy's config.filter.http.ext_authz.v2.CheckSettings. See the official [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/network_filters/ext_authz_filter.html?highlight=ext authz#config-filter-http-ext-authz-v2-checksettings) for more details.


Field Type Label Description
key string
value string


reflects the status of the ExtAuthPolicy

Field Type Label Description
global common.gloo.solo.io.GenericGlobalStatus
workspaces []security.policy.gloo.solo.io.ExtAuthPolicyStatus.WorkspacesEntry repeated The status of the resource in each workspace that it exists in.
selectedDestinationPorts []common.gloo.solo.io.DestinationReference repeated Destination ports selected by the policy
selectedRoutes []common.gloo.solo.io.RouteReference repeated Routes selected by the policy


Field Type Label Description
key string
value common.gloo.solo.io.WorkspaceStatus