istio
1name: envoy.filters.http.rbac
2typedConfig:
3'@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC
4rules:
5policies:
6ns[foo]-policy[httpbin-1]-rule[0]:
7permissions:
8- andRules:
9rules:
10- orRules:
11rules:
12- header:
13name: :authority
14stringMatch:
15exact: exact.com
16ignoreCase: true
17- header:
18name: :authority
19stringMatch:
20ignoreCase: true
21suffix: .suffix.com
22- header:
23name: :authority
24stringMatch:
25ignoreCase: true
26prefix: prefix.
27- header:
28name: :authority
29presentMatch: true
30- notRule:
31orRules:
32rules:
33- header:
34name: :authority
35stringMatch:
36exact: not-exact.com
37ignoreCase: true
38- header:
39name: :authority
40stringMatch:
41ignoreCase: true
42suffix: .not-suffix.com
43- header:
44name: :authority
45stringMatch:
46ignoreCase: true
47prefix: not-prefix.
48- header:
49name: :authority
50presentMatch: true
51- orRules:
52rules:
53- header:
54name: :method
55stringMatch:
56exact: method
57- header:
58name: :method
59stringMatch:
60prefix: method-prefix-
61- header:
62name: :method
63stringMatch:
64suffix: -suffix-method
65- header:
66name: :method
67presentMatch: true
68- notRule:
69orRules:
70rules:
71- header:
72name: :method
73stringMatch:
74exact: not-method
75- header:
76name: :method
77stringMatch:
78prefix: not-method-prefix-
79- header:
80name: :method
81stringMatch:
82suffix: -not-suffix-method
83- header:
84name: :method
85presentMatch: true
86- orRules:
87rules:
88- urlPath:
89path:
90exact: /exact
91- urlPath:
92path:
93prefix: /prefix/
94- urlPath:
95path:
96suffix: /suffix
97- urlPath:
98path:
99safeRegex:
100regex: .+
101- notRule:
102orRules:
103rules:
104- urlPath:
105path:
106exact: /not-exact
107- urlPath:
108path:
109prefix: /not-prefix/
110- urlPath:
111path:
112suffix: /not-suffix
113- urlPath:
114path:
115safeRegex:
116regex: .+
117- orRules:
118rules:
119- destinationPort: 80
120- destinationPort: 90
121- notRule:
122orRules:
123rules:
124- destinationPort: 8000
125- destinationPort: 9000
126- orRules:
127rules:
128- destinationIp:
129addressPrefix: 10.10.10.10
130prefixLen: 32
131- destinationIp:
132addressPrefix: 192.168.10.0
133prefixLen: 24
134- notRule:
135orRules:
136rules:
137- destinationIp:
138addressPrefix: 90.10.10.10
139prefixLen: 32
140- destinationIp:
141addressPrefix: 90.168.10.0
142prefixLen: 24
143- orRules:
144rules:
145- destinationPort: 91
146- destinationPort: 92
147- notRule:
148orRules:
149rules:
150- destinationPort: 9001
151- destinationPort: 9002
152- orRules:
153rules:
154- requestedServerName:
155exact: exact.com
156- requestedServerName:
157suffix: .suffix.com
158- requestedServerName:
159prefix: prefix.
160- requestedServerName:
161safeRegex:
162regex: .+
163- notRule:
164orRules:
165rules:
166- requestedServerName:
167exact: not-exact.com
168- requestedServerName:
169suffix: .not-suffix.com
170- requestedServerName:
171prefix: not-prefix.
172- requestedServerName:
173safeRegex:
174regex: .+
175- orRules:
176rules:
177- metadata:
178filter: envoy.filters.a.b
179path:
180- key: c
181value:
182stringMatch:
183exact: exact
184- metadata:
185filter: envoy.filters.a.b
186path:
187- key: c
188value:
189stringMatch:
190prefix: prefix-
191- metadata:
192filter: envoy.filters.a.b
193path:
194- key: c
195value:
196stringMatch:
197suffix: -suffix
198- metadata:
199filter: envoy.filters.a.b
200path:
201- key: c
202value:
203stringMatch:
204safeRegex:
205regex: .+
206- notRule:
207orRules:
208rules:
209- metadata:
210filter: envoy.filters.a.b
211path:
212- key: c
213value:
214stringMatch:
215exact: not-exact
216- metadata:
217filter: envoy.filters.a.b
218path:
219- key: c
220value:
221stringMatch:
222prefix: not-prefix-
223- metadata:
224filter: envoy.filters.a.b
225path:
226- key: c
227value:
228stringMatch:
229suffix: -not-suffix
230- metadata:
231filter: envoy.filters.a.b
232path:
233- key: c
234value:
235stringMatch:
236safeRegex:
237regex: .+
238principals:
239- andIds:
240ids:
241- orIds:
242ids:
243- authenticated:
244principalName:
245exact: spiffe://principal
246- authenticated:
247principalName:
248prefix: spiffe://principal-prefix-
249- authenticated:
250principalName:
251safeRegex:
252regex: spiffe://.*-suffix-principal
253- authenticated:
254principalName:
255safeRegex:
256regex: .+
257- notId:
258orIds:
259ids:
260- authenticated:
261principalName:
262exact: spiffe://not-principal
263- authenticated:
264principalName:
265prefix: spiffe://not-principal-prefix-
266- authenticated:
267principalName:
268safeRegex:
269regex: spiffe://.*-not-suffix-principal
270- authenticated:
271principalName:
272safeRegex:
273regex: .+
274- orIds:
275ids:
276- metadata:
277filter: istio_authn
278path:
279- key: request.auth.principal
280value:
281stringMatch:
282exact: requestPrincipals
283- metadata:
284filter: istio_authn
285path:
286- key: request.auth.principal
287value:
288stringMatch:
289prefix: requestPrincipals-prefix-
290- metadata:
291filter: istio_authn
292path:
293- key: request.auth.principal
294value:
295stringMatch:
296suffix: -suffix-requestPrincipals
297- metadata:
298filter: istio_authn
299path:
300- key: request.auth.principal
301value:
302stringMatch:
303safeRegex:
304regex: .+
305- notId:
306orIds:
307ids:
308- metadata:
309filter: istio_authn
310path:
311- key: request.auth.principal
312value:
313stringMatch:
314exact: not-requestPrincipals
315- metadata:
316filter: istio_authn
317path:
318- key: request.auth.principal
319value:
320stringMatch:
321prefix: not-requestPrincipals-prefix-
322- metadata:
323filter: istio_authn
324path:
325- key: request.auth.principal
326value:
327stringMatch:
328suffix: -not-suffix-requestPrincipals
329- metadata:
330filter: istio_authn
331path:
332- key: request.auth.principal
333value:
334stringMatch:
335safeRegex:
336regex: .+
337- orIds:
338ids:
339- authenticated:
340principalName:
341safeRegex:
342regex: .*/ns/ns/.*
343- authenticated:
344principalName:
345safeRegex:
346regex: .*/ns/ns-prefix-.*/.*
347- authenticated:
348principalName:
349safeRegex:
350regex: .*/ns/.*-ns-suffix/.*
351- authenticated:
352principalName:
353safeRegex:
354regex: .*/ns/.*/.*
355- notId:
356orIds:
357ids:
358- authenticated:
359principalName:
360safeRegex:
361regex: .*/ns/not-ns/.*
362- authenticated:
363principalName:
364safeRegex:
365regex: .*/ns/not-ns-prefix-.*/.*
366- authenticated:
367principalName:
368safeRegex:
369regex: .*/ns/.*-not-ns-suffix/.*
370- authenticated:
371principalName:
372safeRegex:
373regex: .*/ns/.*/.*
374- orIds:
375ids:
376- remoteIp:
377addressPrefix: 1.2.3.4
378prefixLen: 32
379- remoteIp:
380addressPrefix: 5.6.0.0
381prefixLen: 16
382- notId:
383orIds:
384ids:
385- remoteIp:
386addressPrefix: 9.0.0.1
387prefixLen: 32
388- remoteIp:
389addressPrefix: 9.2.0.0
390prefixLen: 16
391- orIds:
392ids:
393- directRemoteIp:
394addressPrefix: 1.2.3.4
395prefixLen: 32
396- directRemoteIp:
397addressPrefix: 5.6.0.0
398prefixLen: 16
399- notId:
400orIds:
401ids:
402- directRemoteIp:
403addressPrefix: 9.0.0.1
404prefixLen: 32
405- directRemoteIp:
406addressPrefix: 9.2.0.0
407prefixLen: 16
408- orIds:
409ids:
410- header:
411name: X-header
412stringMatch:
413exact: header
414- header:
415name: X-header
416stringMatch:
417prefix: header-prefix-
418- header:
419name: X-header
420stringMatch:
421suffix: -suffix-header
422- header:
423name: X-header
424presentMatch: true
425- notId:
426orIds:
427ids:
428- header:
429name: X-header
430stringMatch:
431exact: not-header
432- header:
433name: X-header
434stringMatch:
435prefix: not-header-prefix-
436- header:
437name: X-header
438stringMatch:
439suffix: -not-suffix-header
440- header:
441name: X-header
442presentMatch: true
443- orIds:
444ids:
445- directRemoteIp:
446addressPrefix: 10.10.10.10
447prefixLen: 32
448- directRemoteIp:
449addressPrefix: 192.168.10.0
450prefixLen: 24
451- notId:
452orIds:
453ids:
454- directRemoteIp:
455addressPrefix: 90.10.10.10
456prefixLen: 32
457- directRemoteIp:
458addressPrefix: 90.168.10.0
459prefixLen: 24
460- orIds:
461ids:
462- remoteIp:
463addressPrefix: 10.10.10.10
464prefixLen: 32
465- remoteIp:
466addressPrefix: 192.168.10.0
467prefixLen: 24
468- notId:
469orIds:
470ids:
471- remoteIp:
472addressPrefix: 90.10.10.10
473prefixLen: 32
474- remoteIp:
475addressPrefix: 90.168.10.0
476prefixLen: 24
477- orIds:
478ids:
479- authenticated:
480principalName:
481safeRegex:
482regex: .*/ns/ns/.*
483- authenticated:
484principalName:
485safeRegex:
486regex: .*/ns/ns-prefix-.*/.*
487- authenticated:
488principalName:
489safeRegex:
490regex: .*/ns/.*-ns-suffix/.*
491- authenticated:
492principalName:
493safeRegex:
494regex: .*/ns/.*/.*
495- notId:
496orIds:
497ids:
498- authenticated:
499principalName:
500safeRegex:
501regex: .*/ns/not-ns/.*
502- authenticated:
503principalName:
504safeRegex:
505regex: .*/ns/not-ns-prefix-.*/.*
506- authenticated:
507principalName:
508safeRegex:
509regex: .*/ns/.*-not-ns-suffix/.*
510- authenticated:
511principalName:
512safeRegex:
513regex: .*/ns/.*/.*
514- orIds:
515ids:
516- authenticated:
517principalName:
518exact: spiffe://principal
519- authenticated:
520principalName:
521prefix: spiffe://principal-prefix-
522- authenticated:
523principalName:
524safeRegex:
525regex: spiffe://.*-suffix-principal
526- authenticated:
527principalName:
528safeRegex:
529regex: .+
530- notId:
531orIds:
532ids:
533- authenticated:
534principalName:
535exact: spiffe://not-principal
536- authenticated:
537principalName:
538prefix: spiffe://not-principal-prefix-
539- authenticated:
540principalName:
541safeRegex:
542regex: spiffe://.*-not-suffix-principal
543- authenticated:
544principalName:
545safeRegex:
546regex: .+
547- orIds:
548ids:
549- metadata:
550filter: istio_authn
551path:
552- key: request.auth.principal
553value:
554stringMatch:
555exact: requestPrincipals
556- metadata:
557filter: istio_authn
558path:
559- key: request.auth.principal
560value:
561stringMatch:
562prefix: requestPrincipals-prefix-
563- metadata:
564filter: istio_authn
565path:
566- key: request.auth.principal
567value:
568stringMatch:
569suffix: -suffix-requestPrincipals
570- metadata:
571filter: istio_authn
572path:
573- key: request.auth.principal
574value:
575stringMatch:
576safeRegex:
577regex: .+
578- metadata:
579filter: istio_authn
580path:
581- key: request.auth.principal
582value:
583stringMatch:
584prefix: https://example.com/
585- notId:
586orIds:
587ids:
588- metadata:
589filter: istio_authn
590path:
591- key: request.auth.principal
592value:
593stringMatch:
594exact: not-requestPrincipals
595- metadata:
596filter: istio_authn
597path:
598- key: request.auth.principal
599value:
600stringMatch:
601prefix: not-requestPrincipals-prefix-
602- metadata:
603filter: istio_authn
604path:
605- key: request.auth.principal
606value:
607stringMatch:
608suffix: -not-suffix-requestPrincipals
609- metadata:
610filter: istio_authn
611path:
612- key: request.auth.principal
613value:
614stringMatch:
615safeRegex:
616regex: .+
617- orIds:
618ids:
619- metadata:
620filter: istio_authn
621path:
622- key: request.auth.audiences
623value:
624stringMatch:
625exact: audiences
626- metadata:
627filter: istio_authn
628path:
629- key: request.auth.audiences
630value:
631stringMatch:
632prefix: audiences-prefix-
633- metadata:
634filter: istio_authn
635path:
636- key: request.auth.audiences
637value:
638stringMatch:
639suffix: -suffix-audiences
640- metadata:
641filter: istio_authn
642path:
643- key: request.auth.audiences
644value:
645stringMatch:
646safeRegex:
647regex: .+
648- notId:
649orIds:
650ids:
651- metadata:
652filter: istio_authn
653path:
654- key: request.auth.audiences
655value:
656stringMatch:
657exact: not-audiences
658- metadata:
659filter: istio_authn
660path:
661- key: request.auth.audiences
662value:
663stringMatch:
664prefix: not-audiences-prefix-
665- metadata:
666filter: istio_authn
667path:
668- key: request.auth.audiences
669value:
670stringMatch:
671suffix: -not-suffix-audiences
672- metadata:
673filter: istio_authn
674path:
675- key: request.auth.audiences
676value:
677stringMatch:
678safeRegex:
679regex: .+
680- orIds:
681ids:
682- metadata:
683filter: istio_authn
684path:
685- key: request.auth.presenter
686value:
687stringMatch:
688exact: presenter
689- metadata:
690filter: istio_authn
691path:
692- key: request.auth.presenter
693value:
694stringMatch:
695prefix: presenter-prefix-
696- metadata:
697filter: istio_authn
698path:
699- key: request.auth.presenter
700value:
701stringMatch:
702suffix: -suffix-presenter
703- metadata:
704filter: istio_authn
705path:
706- key: request.auth.presenter
707value:
708stringMatch:
709safeRegex:
710regex: .+
711- notId:
712orIds:
713ids:
714- metadata:
715filter: istio_authn
716path:
717- key: request.auth.presenter
718value:
719stringMatch:
720exact: not-presenter
721- metadata:
722filter: istio_authn
723path:
724- key: request.auth.presenter
725value:
726stringMatch:
727prefix: not-presenter-prefix-
728- metadata:
729filter: istio_authn
730path:
731- key: request.auth.presenter
732value:
733stringMatch:
734suffix: -not-suffix-presenter
735- metadata:
736filter: istio_authn
737path:
738- key: request.auth.presenter
739value:
740stringMatch:
741safeRegex:
742regex: .+
743- orIds:
744ids:
745- metadata:
746filter: istio_authn
747path:
748- key: request.auth.claims
749- key: iss
750value:
751listMatch:
752oneOf:
753stringMatch:
754exact: iss
755- metadata:
756filter: istio_authn
757path:
758- key: request.auth.claims
759- key: iss
760value:
761listMatch:
762oneOf:
763stringMatch:
764prefix: iss-prefix-
765- metadata:
766filter: istio_authn
767path:
768- key: request.auth.claims
769- key: iss
770value:
771listMatch:
772oneOf:
773stringMatch:
774suffix: -suffix-iss
775- metadata:
776filter: istio_authn
777path:
778- key: request.auth.claims
779- key: iss
780value:
781listMatch:
782oneOf:
783stringMatch:
784safeRegex:
785regex: .+
786- notId:
787orIds:
788ids:
789- metadata:
790filter: istio_authn
791path:
792- key: request.auth.claims
793- key: iss
794value:
795listMatch:
796oneOf:
797stringMatch:
798exact: not-iss
799- metadata:
800filter: istio_authn
801path:
802- key: request.auth.claims
803- key: iss
804value:
805listMatch:
806oneOf:
807stringMatch:
808prefix: not-iss-prefix-
809- metadata:
810filter: istio_authn
811path:
812- key: request.auth.claims
813- key: iss
814value:
815listMatch:
816oneOf:
817stringMatch:
818suffix: -not-suffix-iss
819- metadata:
820filter: istio_authn
821path:
822- key: request.auth.claims
823- key: iss
824value:
825listMatch:
826oneOf:
827stringMatch:
828safeRegex:
829regex: .+
830- orIds:
831ids:
832- metadata:
833filter: istio_authn
834path:
835- key: request.auth.claims
836- key: nested1
837- key: nested2
838value:
839listMatch:
840oneOf:
841stringMatch:
842exact: nested
843- metadata:
844filter: istio_authn
845path:
846- key: request.auth.claims
847- key: nested1
848- key: nested2
849value:
850listMatch:
851oneOf:
852stringMatch:
853prefix: nested-prefix-
854- metadata:
855filter: istio_authn
856path:
857- key: request.auth.claims
858- key: nested1
859- key: nested2
860value:
861listMatch:
862oneOf:
863stringMatch:
864suffix: -suffix-nested
865- metadata:
866filter: istio_authn
867path:
868- key: request.auth.claims
869- key: nested1
870- key: nested2
871value:
872listMatch:
873oneOf:
874stringMatch:
875safeRegex:
876regex: .+
877- notId:
878orIds:
879ids:
880- metadata:
881filter: istio_authn
882path:
883- key: request.auth.claims
884- key: nested1
885- key: nested2
886value:
887listMatch:
888oneOf:
889stringMatch:
890exact: not-nested
891- metadata:
892filter: istio_authn
893path:
894- key: request.auth.claims
895- key: nested1
896- key: nested2
897value:
898listMatch:
899oneOf:
900stringMatch:
901prefix: not-nested-prefix-
902- metadata:
903filter: istio_authn
904path:
905- key: request.auth.claims
906- key: nested1
907- key: nested2
908value:
909listMatch:
910oneOf:
911stringMatch:
912suffix: -not-suffix-nested
913- metadata:
914filter: istio_authn
915path:
916- key: request.auth.claims
917- key: nested1
918- key: nested2
919value:
920listMatch:
921oneOf:
922stringMatch:
923safeRegex:
924regex: .+
925shadowRulesStatPrefix: istio_dry_run_allow_
926