istio
1019 строк · 36.5 Кб
1name: envoy.filters.http.rbac
2typedConfig:
3'@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC
4rules:
5policies:
6ns[foo]-policy[httpbin-1]-rule[0]:
7permissions:
8- andRules:
9rules:
10- orRules:
11rules:
12- header:
13name: :authority
14stringMatch:
15exact: exact.com
16ignoreCase: true
17- header:
18name: :authority
19stringMatch:
20ignoreCase: true
21suffix: .suffix.com
22- header:
23name: :authority
24stringMatch:
25ignoreCase: true
26prefix: prefix.
27- header:
28name: :authority
29presentMatch: true
30- notRule:
31orRules:
32rules:
33- header:
34name: :authority
35stringMatch:
36exact: not-exact.com
37ignoreCase: true
38- header:
39name: :authority
40stringMatch:
41ignoreCase: true
42suffix: .not-suffix.com
43- header:
44name: :authority
45stringMatch:
46ignoreCase: true
47prefix: not-prefix.
48- header:
49name: :authority
50presentMatch: true
51- orRules:
52rules:
53- header:
54name: :method
55stringMatch:
56exact: method
57- header:
58name: :method
59stringMatch:
60prefix: method-prefix-
61- header:
62name: :method
63stringMatch:
64suffix: -suffix-method
65- header:
66name: :method
67presentMatch: true
68- notRule:
69orRules:
70rules:
71- header:
72name: :method
73stringMatch:
74exact: not-method
75- header:
76name: :method
77stringMatch:
78prefix: not-method-prefix-
79- header:
80name: :method
81stringMatch:
82suffix: -not-suffix-method
83- header:
84name: :method
85presentMatch: true
86- orRules:
87rules:
88- urlPath:
89path:
90exact: /exact
91- urlPath:
92path:
93prefix: /prefix/
94- urlPath:
95path:
96suffix: /suffix
97- urlPath:
98path:
99safeRegex:
100regex: .+
101- notRule:
102orRules:
103rules:
104- urlPath:
105path:
106exact: /not-exact
107- urlPath:
108path:
109prefix: /not-prefix/
110- urlPath:
111path:
112suffix: /not-suffix
113- urlPath:
114path:
115safeRegex:
116regex: .+
117- orRules:
118rules:
119- destinationPort: 80
120- destinationPort: 90
121- notRule:
122orRules:
123rules:
124- destinationPort: 8000
125- destinationPort: 9000
126- orRules:
127rules:
128- destinationIp:
129addressPrefix: 10.10.10.10
130prefixLen: 32
131- destinationIp:
132addressPrefix: 192.168.10.0
133prefixLen: 24
134- notRule:
135orRules:
136rules:
137- destinationIp:
138addressPrefix: 90.10.10.10
139prefixLen: 32
140- destinationIp:
141addressPrefix: 90.168.10.0
142prefixLen: 24
143- orRules:
144rules:
145- destinationPort: 91
146- destinationPort: 92
147- notRule:
148orRules:
149rules:
150- destinationPort: 9001
151- destinationPort: 9002
152- orRules:
153rules:
154- requestedServerName:
155exact: exact.com
156- requestedServerName:
157suffix: .suffix.com
158- requestedServerName:
159prefix: prefix.
160- requestedServerName:
161safeRegex:
162regex: .+
163- notRule:
164orRules:
165rules:
166- requestedServerName:
167exact: not-exact.com
168- requestedServerName:
169suffix: .not-suffix.com
170- requestedServerName:
171prefix: not-prefix.
172- requestedServerName:
173safeRegex:
174regex: .+
175- metadata:
176filter: envoy.filters.a.b
177path:
178- key: c
179value:
180orMatch:
181valueMatchers:
182- stringMatch:
183exact: exact
184- stringMatch:
185prefix: prefix-
186- stringMatch:
187suffix: -suffix
188- stringMatch:
189safeRegex:
190regex: .+
191- notRule:
192metadata:
193filter: envoy.filters.a.b
194path:
195- key: c
196value:
197orMatch:
198valueMatchers:
199- stringMatch:
200exact: not-exact
201- stringMatch:
202prefix: not-prefix-
203- stringMatch:
204suffix: -not-suffix
205- stringMatch:
206safeRegex:
207regex: .+
208principals:
209- andIds:
210ids:
211- orIds:
212ids:
213- authenticated:
214principalName:
215exact: spiffe://principal
216- authenticated:
217principalName:
218prefix: spiffe://principal-prefix-
219- authenticated:
220principalName:
221safeRegex:
222regex: spiffe://.*-suffix-principal
223- authenticated:
224principalName:
225safeRegex:
226regex: .+
227- notId:
228orIds:
229ids:
230- authenticated:
231principalName:
232exact: spiffe://not-principal
233- authenticated:
234principalName:
235prefix: spiffe://not-principal-prefix-
236- authenticated:
237principalName:
238safeRegex:
239regex: spiffe://.*-not-suffix-principal
240- authenticated:
241principalName:
242safeRegex:
243regex: .+
244- orIds:
245ids:
246- andIds:
247ids:
248- metadata:
249filter: envoy.filters.http.jwt_authn
250path:
251- key: payload
252- key: iss
253value:
254stringMatch:
255exact: requestPrincipals
256- metadata:
257filter: envoy.filters.http.jwt_authn
258path:
259- key: payload
260- key: sub
261value:
262stringMatch:
263exact: ""
264- andIds:
265ids:
266- metadata:
267filter: envoy.filters.http.jwt_authn
268path:
269- key: payload
270- key: iss
271value:
272stringMatch:
273prefix: requestPrincipals-prefix-
274- metadata:
275filter: envoy.filters.http.jwt_authn
276path:
277- key: payload
278- key: sub
279value:
280stringMatch:
281safeRegex:
282regex: .+
283- andIds:
284ids:
285- metadata:
286filter: envoy.filters.http.jwt_authn
287path:
288- key: payload
289- key: iss
290value:
291stringMatch:
292safeRegex:
293regex: .+
294- metadata:
295filter: envoy.filters.http.jwt_authn
296path:
297- key: payload
298- key: sub
299value:
300stringMatch:
301suffix: -suffix-requestPrincipals
302- andIds:
303ids:
304- metadata:
305filter: envoy.filters.http.jwt_authn
306path:
307- key: payload
308- key: iss
309value:
310stringMatch:
311safeRegex:
312regex: .+
313- metadata:
314filter: envoy.filters.http.jwt_authn
315path:
316- key: payload
317- key: sub
318value:
319stringMatch:
320safeRegex:
321regex: .+
322- notId:
323orIds:
324ids:
325- andIds:
326ids:
327- metadata:
328filter: envoy.filters.http.jwt_authn
329path:
330- key: payload
331- key: iss
332value:
333stringMatch:
334exact: not-requestPrincipals
335- metadata:
336filter: envoy.filters.http.jwt_authn
337path:
338- key: payload
339- key: sub
340value:
341stringMatch:
342exact: ""
343- andIds:
344ids:
345- metadata:
346filter: envoy.filters.http.jwt_authn
347path:
348- key: payload
349- key: iss
350value:
351stringMatch:
352prefix: not-requestPrincipals-prefix-
353- metadata:
354filter: envoy.filters.http.jwt_authn
355path:
356- key: payload
357- key: sub
358value:
359stringMatch:
360safeRegex:
361regex: .+
362- andIds:
363ids:
364- metadata:
365filter: envoy.filters.http.jwt_authn
366path:
367- key: payload
368- key: iss
369value:
370stringMatch:
371safeRegex:
372regex: .+
373- metadata:
374filter: envoy.filters.http.jwt_authn
375path:
376- key: payload
377- key: sub
378value:
379stringMatch:
380suffix: -not-suffix-requestPrincipals
381- andIds:
382ids:
383- metadata:
384filter: envoy.filters.http.jwt_authn
385path:
386- key: payload
387- key: iss
388value:
389stringMatch:
390safeRegex:
391regex: .+
392- metadata:
393filter: envoy.filters.http.jwt_authn
394path:
395- key: payload
396- key: sub
397value:
398stringMatch:
399safeRegex:
400regex: .+
401- orIds:
402ids:
403- authenticated:
404principalName:
405safeRegex:
406regex: .*/ns/ns/.*
407- authenticated:
408principalName:
409safeRegex:
410regex: .*/ns/ns-prefix-.*/.*
411- authenticated:
412principalName:
413safeRegex:
414regex: .*/ns/.*-ns-suffix/.*
415- authenticated:
416principalName:
417safeRegex:
418regex: .*/ns/.*/.*
419- notId:
420orIds:
421ids:
422- authenticated:
423principalName:
424safeRegex:
425regex: .*/ns/not-ns/.*
426- authenticated:
427principalName:
428safeRegex:
429regex: .*/ns/not-ns-prefix-.*/.*
430- authenticated:
431principalName:
432safeRegex:
433regex: .*/ns/.*-not-ns-suffix/.*
434- authenticated:
435principalName:
436safeRegex:
437regex: .*/ns/.*/.*
438- orIds:
439ids:
440- remoteIp:
441addressPrefix: 1.2.3.4
442prefixLen: 32
443- remoteIp:
444addressPrefix: 5.6.0.0
445prefixLen: 16
446- notId:
447orIds:
448ids:
449- remoteIp:
450addressPrefix: 9.0.0.1
451prefixLen: 32
452- remoteIp:
453addressPrefix: 9.2.0.0
454prefixLen: 16
455- orIds:
456ids:
457- directRemoteIp:
458addressPrefix: 1.2.3.4
459prefixLen: 32
460- directRemoteIp:
461addressPrefix: 5.6.0.0
462prefixLen: 16
463- notId:
464orIds:
465ids:
466- directRemoteIp:
467addressPrefix: 9.0.0.1
468prefixLen: 32
469- directRemoteIp:
470addressPrefix: 9.2.0.0
471prefixLen: 16
472- orIds:
473ids:
474- header:
475name: X-header
476stringMatch:
477exact: header
478- header:
479name: X-header
480stringMatch:
481prefix: header-prefix-
482- header:
483name: X-header
484stringMatch:
485suffix: -suffix-header
486- header:
487name: X-header
488presentMatch: true
489- notId:
490orIds:
491ids:
492- header:
493name: X-header
494stringMatch:
495exact: not-header
496- header:
497name: X-header
498stringMatch:
499prefix: not-header-prefix-
500- header:
501name: X-header
502stringMatch:
503suffix: -not-suffix-header
504- header:
505name: X-header
506presentMatch: true
507- orIds:
508ids:
509- directRemoteIp:
510addressPrefix: 10.10.10.10
511prefixLen: 32
512- directRemoteIp:
513addressPrefix: 192.168.10.0
514prefixLen: 24
515- notId:
516orIds:
517ids:
518- directRemoteIp:
519addressPrefix: 90.10.10.10
520prefixLen: 32
521- directRemoteIp:
522addressPrefix: 90.168.10.0
523prefixLen: 24
524- orIds:
525ids:
526- remoteIp:
527addressPrefix: 10.10.10.10
528prefixLen: 32
529- remoteIp:
530addressPrefix: 192.168.10.0
531prefixLen: 24
532- notId:
533orIds:
534ids:
535- remoteIp:
536addressPrefix: 90.10.10.10
537prefixLen: 32
538- remoteIp:
539addressPrefix: 90.168.10.0
540prefixLen: 24
541- orIds:
542ids:
543- authenticated:
544principalName:
545safeRegex:
546regex: .*/ns/ns/.*
547- authenticated:
548principalName:
549safeRegex:
550regex: .*/ns/ns-prefix-.*/.*
551- authenticated:
552principalName:
553safeRegex:
554regex: .*/ns/.*-ns-suffix/.*
555- authenticated:
556principalName:
557safeRegex:
558regex: .*/ns/.*/.*
559- notId:
560orIds:
561ids:
562- authenticated:
563principalName:
564safeRegex:
565regex: .*/ns/not-ns/.*
566- authenticated:
567principalName:
568safeRegex:
569regex: .*/ns/not-ns-prefix-.*/.*
570- authenticated:
571principalName:
572safeRegex:
573regex: .*/ns/.*-not-ns-suffix/.*
574- authenticated:
575principalName:
576safeRegex:
577regex: .*/ns/.*/.*
578- orIds:
579ids:
580- authenticated:
581principalName:
582exact: spiffe://principal
583- authenticated:
584principalName:
585prefix: spiffe://principal-prefix-
586- authenticated:
587principalName:
588safeRegex:
589regex: spiffe://.*-suffix-principal
590- authenticated:
591principalName:
592safeRegex:
593regex: .+
594- notId:
595orIds:
596ids:
597- authenticated:
598principalName:
599exact: spiffe://not-principal
600- authenticated:
601principalName:
602prefix: spiffe://not-principal-prefix-
603- authenticated:
604principalName:
605safeRegex:
606regex: spiffe://.*-not-suffix-principal
607- authenticated:
608principalName:
609safeRegex:
610regex: .+
611- orIds:
612ids:
613- andIds:
614ids:
615- metadata:
616filter: envoy.filters.http.jwt_authn
617path:
618- key: payload
619- key: iss
620value:
621stringMatch:
622exact: requestPrincipals
623- metadata:
624filter: envoy.filters.http.jwt_authn
625path:
626- key: payload
627- key: sub
628value:
629stringMatch:
630exact: ""
631- andIds:
632ids:
633- metadata:
634filter: envoy.filters.http.jwt_authn
635path:
636- key: payload
637- key: iss
638value:
639stringMatch:
640prefix: requestPrincipals-prefix-
641- metadata:
642filter: envoy.filters.http.jwt_authn
643path:
644- key: payload
645- key: sub
646value:
647stringMatch:
648safeRegex:
649regex: .+
650- andIds:
651ids:
652- metadata:
653filter: envoy.filters.http.jwt_authn
654path:
655- key: payload
656- key: iss
657value:
658stringMatch:
659safeRegex:
660regex: .+
661- metadata:
662filter: envoy.filters.http.jwt_authn
663path:
664- key: payload
665- key: sub
666value:
667stringMatch:
668suffix: -suffix-requestPrincipals
669- andIds:
670ids:
671- metadata:
672filter: envoy.filters.http.jwt_authn
673path:
674- key: payload
675- key: iss
676value:
677stringMatch:
678safeRegex:
679regex: .+
680- metadata:
681filter: envoy.filters.http.jwt_authn
682path:
683- key: payload
684- key: sub
685value:
686stringMatch:
687safeRegex:
688regex: .+
689- andIds:
690ids:
691- metadata:
692filter: envoy.filters.http.jwt_authn
693path:
694- key: payload
695- key: iss
696value:
697stringMatch:
698exact: https://example.com
699- metadata:
700filter: envoy.filters.http.jwt_authn
701path:
702- key: payload
703- key: sub
704value:
705stringMatch:
706safeRegex:
707regex: .+
708- notId:
709orIds:
710ids:
711- andIds:
712ids:
713- metadata:
714filter: envoy.filters.http.jwt_authn
715path:
716- key: payload
717- key: iss
718value:
719stringMatch:
720exact: not-requestPrincipals
721- metadata:
722filter: envoy.filters.http.jwt_authn
723path:
724- key: payload
725- key: sub
726value:
727stringMatch:
728exact: ""
729- andIds:
730ids:
731- metadata:
732filter: envoy.filters.http.jwt_authn
733path:
734- key: payload
735- key: iss
736value:
737stringMatch:
738prefix: not-requestPrincipals-prefix-
739- metadata:
740filter: envoy.filters.http.jwt_authn
741path:
742- key: payload
743- key: sub
744value:
745stringMatch:
746safeRegex:
747regex: .+
748- andIds:
749ids:
750- metadata:
751filter: envoy.filters.http.jwt_authn
752path:
753- key: payload
754- key: iss
755value:
756stringMatch:
757safeRegex:
758regex: .+
759- metadata:
760filter: envoy.filters.http.jwt_authn
761path:
762- key: payload
763- key: sub
764value:
765stringMatch:
766suffix: -not-suffix-requestPrincipals
767- andIds:
768ids:
769- metadata:
770filter: envoy.filters.http.jwt_authn
771path:
772- key: payload
773- key: iss
774value:
775stringMatch:
776safeRegex:
777regex: .+
778- metadata:
779filter: envoy.filters.http.jwt_authn
780path:
781- key: payload
782- key: sub
783value:
784stringMatch:
785safeRegex:
786regex: .+
787- metadata:
788filter: envoy.filters.http.jwt_authn
789path:
790- key: payload
791- key: aud
792value:
793orMatch:
794valueMatchers:
795- stringMatch:
796exact: audiences
797- stringMatch:
798prefix: audiences-prefix-
799- stringMatch:
800suffix: -suffix-audiences
801- stringMatch:
802safeRegex:
803regex: .+
804- notId:
805metadata:
806filter: envoy.filters.http.jwt_authn
807path:
808- key: payload
809- key: aud
810value:
811orMatch:
812valueMatchers:
813- stringMatch:
814exact: not-audiences
815- stringMatch:
816prefix: not-audiences-prefix-
817- stringMatch:
818suffix: -not-suffix-audiences
819- stringMatch:
820safeRegex:
821regex: .+
822- metadata:
823filter: envoy.filters.http.jwt_authn
824path:
825- key: payload
826- key: azp
827value:
828orMatch:
829valueMatchers:
830- listMatch:
831oneOf:
832orMatch:
833valueMatchers:
834- stringMatch:
835exact: presenter
836- stringMatch:
837prefix: presenter-prefix-
838- stringMatch:
839suffix: -suffix-presenter
840- stringMatch:
841safeRegex:
842regex: .+
843- orMatch:
844valueMatchers:
845- stringMatch:
846exact: presenter
847- stringMatch:
848prefix: presenter-prefix-
849- stringMatch:
850suffix: -suffix-presenter
851- stringMatch:
852safeRegex:
853regex: .+
854- notId:
855metadata:
856filter: envoy.filters.http.jwt_authn
857path:
858- key: payload
859- key: azp
860value:
861orMatch:
862valueMatchers:
863- listMatch:
864oneOf:
865orMatch:
866valueMatchers:
867- stringMatch:
868exact: not-presenter
869- stringMatch:
870prefix: not-presenter-prefix-
871- stringMatch:
872suffix: -not-suffix-presenter
873- stringMatch:
874safeRegex:
875regex: .+
876- orMatch:
877valueMatchers:
878- stringMatch:
879exact: not-presenter
880- stringMatch:
881prefix: not-presenter-prefix-
882- stringMatch:
883suffix: -not-suffix-presenter
884- stringMatch:
885safeRegex:
886regex: .+
887- metadata:
888filter: envoy.filters.http.jwt_authn
889path:
890- key: payload
891- key: iss
892value:
893orMatch:
894valueMatchers:
895- listMatch:
896oneOf:
897orMatch:
898valueMatchers:
899- stringMatch:
900exact: iss
901- stringMatch:
902prefix: iss-prefix-
903- stringMatch:
904suffix: -suffix-iss
905- stringMatch:
906safeRegex:
907regex: .+
908- orMatch:
909valueMatchers:
910- stringMatch:
911exact: iss
912- stringMatch:
913prefix: iss-prefix-
914- stringMatch:
915suffix: -suffix-iss
916- stringMatch:
917safeRegex:
918regex: .+
919- notId:
920metadata:
921filter: envoy.filters.http.jwt_authn
922path:
923- key: payload
924- key: iss
925value:
926orMatch:
927valueMatchers:
928- listMatch:
929oneOf:
930orMatch:
931valueMatchers:
932- stringMatch:
933exact: not-iss
934- stringMatch:
935prefix: not-iss-prefix-
936- stringMatch:
937suffix: -not-suffix-iss
938- stringMatch:
939safeRegex:
940regex: .+
941- orMatch:
942valueMatchers:
943- stringMatch:
944exact: not-iss
945- stringMatch:
946prefix: not-iss-prefix-
947- stringMatch:
948suffix: -not-suffix-iss
949- stringMatch:
950safeRegex:
951regex: .+
952- metadata:
953filter: envoy.filters.http.jwt_authn
954path:
955- key: payload
956- key: nested1
957- key: nested2
958value:
959orMatch:
960valueMatchers:
961- listMatch:
962oneOf:
963orMatch:
964valueMatchers:
965- stringMatch:
966exact: nested
967- stringMatch:
968prefix: nested-prefix-
969- stringMatch:
970suffix: -suffix-nested
971- stringMatch:
972safeRegex:
973regex: .+
974- orMatch:
975valueMatchers:
976- stringMatch:
977exact: nested
978- stringMatch:
979prefix: nested-prefix-
980- stringMatch:
981suffix: -suffix-nested
982- stringMatch:
983safeRegex:
984regex: .+
985- notId:
986metadata:
987filter: envoy.filters.http.jwt_authn
988path:
989- key: payload
990- key: nested1
991- key: nested2
992value:
993orMatch:
994valueMatchers:
995- listMatch:
996oneOf:
997orMatch:
998valueMatchers:
999- stringMatch:
1000exact: not-nested
1001- stringMatch:
1002prefix: not-nested-prefix-
1003- stringMatch:
1004suffix: -not-suffix-nested
1005- stringMatch:
1006safeRegex:
1007regex: .+
1008- orMatch:
1009valueMatchers:
1010- stringMatch:
1011exact: not-nested
1012- stringMatch:
1013prefix: not-nested-prefix-
1014- stringMatch:
1015suffix: -not-suffix-nested
1016- stringMatch:
1017safeRegex:
1018regex: .+
1019shadowRulesStatPrefix: istio_dry_run_allow_
1020