istio
186 строк · 5.3 Кб
1name: envoy.filters.http.rbac
2typedConfig:
3'@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC
4rules:
5policies:
6ns[foo]-policy[httpbin-1]-rule[0]:
7permissions:
8- andRules:
9rules:
10- orRules:
11rules:
12- header:
13name: :method
14stringMatch:
15exact: GET
16- header:
17name: :method
18stringMatch:
19exact: POST
20principals:
21- andIds:
22ids:
23- any: true
24ns[foo]-policy[httpbin-2]-rule[0]:
25permissions:
26- andRules:
27rules:
28- orRules:
29rules:
30- urlPath:
31path:
32exact: /v1
33- urlPath:
34path:
35exact: /v2
36principals:
37- andIds:
38ids:
39- any: true
40ns[foo]-policy[httpbin-3]-rule[0]:
41permissions:
42- andRules:
43rules:
44- orRules:
45rules:
46- header:
47name: :authority
48stringMatch:
49exact: google.com
50ignoreCase: true
51- header:
52name: :authority
53stringMatch:
54exact: httpbin.org
55ignoreCase: true
56principals:
57- andIds:
58ids:
59- any: true
60ns[foo]-policy[httpbin-4]-rule[0]:
61permissions:
62- andRules:
63rules:
64- orRules:
65rules:
66- destinationPort: 80
67- destinationPort: 90
68principals:
69- andIds:
70ids:
71- any: true
72ns[foo]-policy[httpbin-5]-rule[0]:
73permissions:
74- andRules:
75rules:
76- any: true
77principals:
78- andIds:
79ids:
80- orIds:
81ids:
82- authenticated:
83principalName:
84exact: spiffe://principals1
85- authenticated:
86principalName:
87exact: spiffe://principals2
88ns[foo]-policy[httpbin-6]-rule[0]:
89permissions:
90- andRules:
91rules:
92- any: true
93principals:
94- andIds:
95ids:
96- orIds:
97ids:
98- andIds:
99ids:
100- metadata:
101filter: envoy.filters.http.jwt_authn
102path:
103- key: payload
104- key: iss
105value:
106stringMatch:
107exact: requestPrincipals1
108- metadata:
109filter: envoy.filters.http.jwt_authn
110path:
111- key: payload
112- key: sub
113value:
114stringMatch:
115exact: ""
116- andIds:
117ids:
118- metadata:
119filter: envoy.filters.http.jwt_authn
120path:
121- key: payload
122- key: iss
123value:
124stringMatch:
125exact: requestPrincipals2
126- metadata:
127filter: envoy.filters.http.jwt_authn
128path:
129- key: payload
130- key: sub
131value:
132stringMatch:
133exact: ""
134ns[foo]-policy[httpbin-7]-rule[0]:
135permissions:
136- andRules:
137rules:
138- any: true
139principals:
140- andIds:
141ids:
142- orIds:
143ids:
144- authenticated:
145principalName:
146safeRegex:
147regex: .*/ns/namespaces1/.*
148- authenticated:
149principalName:
150safeRegex:
151regex: .*/ns/namespaces2/.*
152ns[foo]-policy[httpbin-8]-rule[0]:
153permissions:
154- andRules:
155rules:
156- any: true
157principals:
158- andIds:
159ids:
160- orIds:
161ids:
162- directRemoteIp:
163addressPrefix: 1.2.3.4
164prefixLen: 32
165- directRemoteIp:
166addressPrefix: 5.6.7.0
167prefixLen: 24
168ns[foo]-policy[httpbin-9]-rule[0]:
169permissions:
170- andRules:
171rules:
172- any: true
173principals:
174- andIds:
175ids:
176- orIds:
177ids:
178- header:
179name: X-abc
180stringMatch:
181exact: abc1
182- header:
183name: X-abc
184stringMatch:
185exact: abc2
186shadowRulesStatPrefix: istio_dry_run_allow_
187