You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Jul 16, 2025. It is now read-only.
I have Kubernetes-managed service account tokens, and I would like to extract some values from the JWT payload using Istio's outputClaimToHeaders feature.
The problem arises when trying to extract a claim with a dotted key (.) in its name, such as kubernetes.io.namespace. The token structure looks like this:
{
"kubernetes.io": {
"namespace": "a-namespace"
}
}
When attempting to extract the namespace field using Istio's outputClaimToHeaders, the header is not set, and Istio does not correctly retrieve the value.
Steps to reproduce:
Deploy an Istio RequestAuthentication policy with the following configuration:
`apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: jwt-auth
namespace: istio-system
spec:
jwtRules: