istio
70 строк · 2.4 Кб
1name: envoy.filters.http.rbac
2typedConfig:
3'@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC
4rules:
5policies:
6ns[foo]-policy[httpbin]-rule[0]:
7permissions:
8- andRules:
9rules:
10- orRules:
11rules:
12- header:
13name: :method
14stringMatch:
15exact: rule[0]-to[0]-method[0]
16principals:
17- andIds:
18ids:
19- orIds:
20ids:
21- authenticated:
22principalName:
23exact: spiffe://td1/ns/rule[0]/sa/from[0]-principal[0]
24- authenticated:
25principalName:
26exact: spiffe://cluster.local/ns/rule[0]/sa/from[0]-principal[0]
27- andIds:
28ids:
29- orIds:
30ids:
31- authenticated:
32principalName:
33exact: spiffe://td1/ns/rule[0]/sa/from[1]-principal[0]
34- authenticated:
35principalName:
36exact: spiffe://cluster.local/ns/rule[0]/sa/from[1]-principal[0]
37- authenticated:
38principalName:
39exact: spiffe://td1/ns/rule[0]/sa/from[1]-principal[1]
40- authenticated:
41principalName:
42exact: spiffe://cluster.local/ns/rule[0]/sa/from[1]-principal[1]
43- orIds:
44ids:
45- authenticated:
46principalName:
47safeRegex:
48regex: .*/ns/rule[0]-from[1]-ns[0]/.*
49ns[foo]-policy[httpbin]-rule[1]:
50permissions:
51- andRules:
52rules:
53- orRules:
54rules:
55- header:
56name: :method
57stringMatch:
58exact: rule[1]-to[0]-method[0]
59principals:
60- andIds:
61ids:
62- orIds:
63ids:
64- authenticated:
65principalName:
66exact: spiffe://td1/ns/rule[1]/sa/from[0]-principal[0]
67- authenticated:
68principalName:
69exact: spiffe://cluster.local/ns/rule[1]/sa/from[0]-principal[0]
70shadowRulesStatPrefix: istio_dry_run_allow_
71