istio

1
name: envoy.filters.http.rbac
2
typedConfig:
3
  '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC
4
  rules:
5
    policies:
6
      ns[foo]-policy[httpbin-1]-rule[0]:
7
        permissions:
8
        - andRules:
9
            rules:
10
            - orRules:
11
                rules:
12
                - header:
13
                    name: :method
14
                    stringMatch:
15
                      exact: GET
16
                - header:
17
                    name: :method
18
                    stringMatch:
19
                      exact: POST
20
        principals:
21
        - andIds:
22
            ids:
23
            - any: true
24
      ns[foo]-policy[httpbin-2]-rule[0]:
25
        permissions:
26
        - andRules:
27
            rules:
28
            - orRules:
29
                rules:
30
                - urlPath:
31
                    path:
32
                      exact: /v1
33
                - urlPath:
34
                    path:
35
                      exact: /v2
36
        principals:
37
        - andIds:
38
            ids:
39
            - any: true
40
      ns[foo]-policy[httpbin-3]-rule[0]:
41
        permissions:
42
        - andRules:
43
            rules:
44
            - orRules:
45
                rules:
46
                - header:
47
                    name: :authority
48
                    stringMatch:
49
                      exact: google.com
50
                      ignoreCase: true
51
                - header:
52
                    name: :authority
53
                    stringMatch:
54
                      exact: httpbin.org
55
                      ignoreCase: true
56
        principals:
57
        - andIds:
58
            ids:
59
            - any: true
60
      ns[foo]-policy[httpbin-4]-rule[0]:
61
        permissions:
62
        - andRules:
63
            rules:
64
            - orRules:
65
                rules:
66
                - destinationPort: 80
67
                - destinationPort: 90
68
        principals:
69
        - andIds:
70
            ids:
71
            - any: true
72
      ns[foo]-policy[httpbin-5]-rule[0]:
73
        permissions:
74
        - andRules:
75
            rules:
76
            - any: true
77
        principals:
78
        - andIds:
79
            ids:
80
            - orIds:
81
                ids:
82
                - authenticated:
83
                    principalName:
84
                      exact: spiffe://principals1
85
                - authenticated:
86
                    principalName:
87
                      exact: spiffe://principals2
88
      ns[foo]-policy[httpbin-6]-rule[0]:
89
        permissions:
90
        - andRules:
91
            rules:
92
            - any: true
93
        principals:
94
        - andIds:
95
            ids:
96
            - orIds:
97
                ids:
98
                - andIds:
99
                    ids:
100
                    - metadata:
101
                        filter: envoy.filters.http.jwt_authn
102
                        path:
103
                        - key: payload
104
                        - key: iss
105
                        value:
106
                          stringMatch:
107
                            exact: requestPrincipals1
108
                    - metadata:
109
                        filter: envoy.filters.http.jwt_authn
110
                        path:
111
                        - key: payload
112
                        - key: sub
113
                        value:
114
                          stringMatch:
115
                            exact: ""
116
                - andIds:
117
                    ids:
118
                    - metadata:
119
                        filter: envoy.filters.http.jwt_authn
120
                        path:
121
                        - key: payload
122
                        - key: iss
123
                        value:
124
                          stringMatch:
125
                            exact: requestPrincipals2
126
                    - metadata:
127
                        filter: envoy.filters.http.jwt_authn
128
                        path:
129
                        - key: payload
130
                        - key: sub
131
                        value:
132
                          stringMatch:
133
                            exact: ""
134
      ns[foo]-policy[httpbin-7]-rule[0]:
135
        permissions:
136
        - andRules:
137
            rules:
138
            - any: true
139
        principals:
140
        - andIds:
141
            ids:
142
            - orIds:
143
                ids:
144
                - authenticated:
145
                    principalName:
146
                      safeRegex:
147
                        regex: .*/ns/namespaces1/.*
148
                - authenticated:
149
                    principalName:
150
                      safeRegex:
151
                        regex: .*/ns/namespaces2/.*
152
      ns[foo]-policy[httpbin-8]-rule[0]:
153
        permissions:
154
        - andRules:
155
            rules:
156
            - any: true
157
        principals:
158
        - andIds:
159
            ids:
160
            - orIds:
161
                ids:
162
                - directRemoteIp:
163
                    addressPrefix: 1.2.3.4
164
                    prefixLen: 32
165
                - directRemoteIp:
166
                    addressPrefix: 5.6.7.0
167
                    prefixLen: 24
168
      ns[foo]-policy[httpbin-9]-rule[0]:
169
        permissions:
170
        - andRules:
171
            rules:
172
            - any: true
173
        principals:
174
        - andIds:
175
            ids:
176
            - orIds:
177
                ids:
178
                - header:
179
                    name: X-abc
180
                    stringMatch:
181
                      exact: abc1
182
                - header:
183
                    name: X-abc
184
                    stringMatch:
185
                      exact: abc2
186
  shadowRulesStatPrefix: istio_dry_run_allow_
187