diff --git a/k8s/core/base/applications/istio/istio-1.9.2.yaml b/k8s/core/base/applications/istio/istio-1.9.2.yaml
index 7d969bbf76..b582f6b210 100644
--- a/k8s/core/base/applications/istio/istio-1.9.2.yaml
+++ b/k8s/core/base/applications/istio/istio-1.9.2.yaml
@@ -47,6 +47,21 @@ spec:
       enabled: true
   hub: docker.io/querycapistio
   meshConfig:
+    extensionProviders:
+      - name: oauth2-proxy
+        envoyExtAuthzHttp:
+          service: oauth2-proxy.network.svc.cluster.local
+          port: 80
+          includeHeadersInCheck: ['authorization', 'cookie']
+          headersToUpstreamOnAllow:
+            [
+              'authorization',
+              'path',
+              'x-auth-request-user',
+              'x-auth-request-email',
+              'x-auth-request-access-token',
+            ]
+          headersToDownstreamOnDeny: ['content-type', 'set-cookie']
     accessLogFile: /dev/stdout
     defaultConfig:
       proxyMetadata: {}