diff --git a/tests/e2e/authz-server/match-conditions/chainsaw-test.yaml b/tests/e2e/authz-server/match-conditions/chainsaw-test.yaml
new file mode 100644
index 0000000..bc0026a
--- /dev/null
+++ b/tests/e2e/authz-server/match-conditions/chainsaw-test.yaml
@@ -0,0 +1,32 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: deny
+spec:
+  namespace: app
+  steps: 
+  - try:
+    - create:
+        file: ./istio-policy.yaml
+    - create:
+        file: ./policy.yaml
+    - create:
+        file: ./shell.yaml
+    - wait:
+        apiVersion: v1
+        kind: Pod
+        timeout: 1m
+        for:
+          condition:
+            name: Ready
+            value: 'true'
+    - script:
+        content: >
+          kubectl exec -n $NAMESPACE deploy/curl -- curl -s -w "\nhttp_code=%{http_code}" httpbin:8000/get -H "x-force-authorized: true"
+        check:
+          ($stdout): |-
+            Unauthorized Request
+            http_code=403
+    finally:
+    - sleep:
+        duration: 10s
\ No newline at end of file
diff --git a/tests/e2e/authz-server/match-conditions/istio-policy.yaml b/tests/e2e/authz-server/match-conditions/istio-policy.yaml
new file mode 100644
index 0000000..e8dadd0
--- /dev/null
+++ b/tests/e2e/authz-server/match-conditions/istio-policy.yaml
@@ -0,0 +1,14 @@
+apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+  name: policy
+  namespace: istio-system
+spec:
+  selector:
+    matchLabels:
+      ext-authz: enabled
+  action: CUSTOM
+  provider:
+    name: kyverno-authz-server
+  rules:
+  - {}
diff --git a/tests/e2e/authz-server/match-conditions/policy.yaml b/tests/e2e/authz-server/match-conditions/policy.yaml
new file mode 100644
index 0000000..fb8e030
--- /dev/null
+++ b/tests/e2e/authz-server/match-conditions/policy.yaml
@@ -0,0 +1,18 @@
+# yaml-language-server: $schema=../../../../.schemas/json/authorizationpolicy-envoy-v1alpha1.json
+apiVersion: envoy.kyverno.io/v1alpha1
+kind: AuthorizationPolicy
+metadata:
+  name: policy
+spec:
+  variables:
+  - name: foo
+    expression: >
+      true
+  deny:
+  - match: >
+      variables.foo
+    response: >
+      envoy
+        .Denied(403)
+        .WithBody("Unauthorized Request")
+        .Response()
diff --git a/tests/e2e/authz-server/match-conditions/shell.yaml b/tests/e2e/authz-server/match-conditions/shell.yaml
new file mode 100644
index 0000000..febda25
--- /dev/null
+++ b/tests/e2e/authz-server/match-conditions/shell.yaml
@@ -0,0 +1,48 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: curl
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: curl
+  labels:
+    app: curl
+    service: curl
+spec:
+  ports:
+  - port: 80
+    name: http
+  selector:
+    app: curl
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: curl
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: curl
+  template:
+    metadata:
+      labels:
+        app: curl
+    spec:
+      terminationGracePeriodSeconds: 0
+      serviceAccountName: curl
+      containers:
+      - name: curl
+        image: curlimages/curl
+        command: ["/bin/sleep", "infinity"]
+        imagePullPolicy: IfNotPresent
+        volumeMounts:
+        - mountPath: /etc/curl/tls
+          name: secret-volume
+      volumes:
+      - name: secret-volume
+        secret:
+          secretName: curl-secret
+          optional: true