istio
515 строк · 17.4 Кб
1name: envoy.filters.http.rbac2typedConfig:3'@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC4rules:5policies:6ns[foo]-policy[httpbin]-rule[0]:7permissions:8- andRules:9rules:10- orRules:11rules:12- header:13name: :authority14stringMatch:15exact: rule[0]-to[0]-host[1]16ignoreCase: true17- header:18name: :authority19stringMatch:20exact: rule[0]-to[0]-host[2]21ignoreCase: true22- orRules:23rules:24- header:25name: :method26stringMatch:27exact: rule[0]-to[0]-method[1]28- header:29name: :method30stringMatch:31exact: rule[0]-to[0]-method[2]32- orRules:33rules:34- urlPath:35path:36exact: rule[0]-to[0]-path[1]37- urlPath:38path:39exact: rule[0]-to[0]-path[2]40- orRules:41rules:42- destinationPort: 900143- destinationPort: 900244- orRules:45rules:46- destinationIp:47addressPrefix: 10.10.10.1048prefixLen: 3249- destinationIp:50addressPrefix: 192.168.10.051prefixLen: 2452- andRules:53rules:54- orRules:55rules:56- header:57name: :authority58stringMatch:59exact: rule[0]-to[1]-host[1]60ignoreCase: true61- header:62name: :authority63stringMatch:64exact: rule[0]-to[1]-host[2]65ignoreCase: true66- orRules:67rules:68- header:69name: :method70stringMatch:71exact: rule[0]-to[1]-method[1]72- header:73name: :method74stringMatch:75exact: rule[0]-to[1]-method[2]76- orRules:77rules:78- urlPath:79path:80exact: rule[0]-to[1]-path[1]81- urlPath:82path:83exact: rule[0]-to[1]-path[2]84- orRules:85rules:86- destinationPort: 901187- destinationPort: 901288- orRules:89rules:90- destinationIp:91addressPrefix: 10.10.10.1092prefixLen: 3293- destinationIp:94addressPrefix: 192.168.10.095prefixLen: 2496principals:97- andIds:98ids:99- orIds:100ids:101- authenticated:102principalName:103exact: spiffe://rule[0]-from[0]-principal[1]104- authenticated:105principalName:106exact: spiffe://rule[0]-from[0]-principal[2]107- orIds:108ids:109- andIds:110ids:111- metadata:112filter: envoy.filters.http.jwt_authn113path:114- key: payload115- key: iss116value:117stringMatch:118exact: rule[0]-from[0]-requestPrincipal[1]119- metadata:120filter: envoy.filters.http.jwt_authn121path:122- key: payload123- key: sub124value:125stringMatch:126exact: ""127- andIds:128ids:129- metadata:130filter: envoy.filters.http.jwt_authn131path:132- key: payload133- key: iss134value:135stringMatch:136exact: rule[0]-from[0]-requestPrincipal[2]137- metadata:138filter: envoy.filters.http.jwt_authn139path:140- key: payload141- key: sub142value:143stringMatch:144exact: ""145- orIds:146ids:147- authenticated:148principalName:149safeRegex:150regex: .*/ns/rule[0]-from[0]-ns[1]/.*151- authenticated:152principalName:153safeRegex:154regex: .*/ns/rule[0]-from[0]-ns[2]/.*155- orIds:156ids:157- remoteIp:158addressPrefix: 172.16.10.10159prefixLen: 32160- orIds:161ids:162- directRemoteIp:163addressPrefix: 10.0.0.1164prefixLen: 32165- directRemoteIp:166addressPrefix: 10.0.0.2167prefixLen: 32168- orIds:169ids:170- header:171name: X-header172stringMatch:173exact: header174- header:175name: X-header176stringMatch:177prefix: header-prefix-178- header:179name: X-header180stringMatch:181suffix: -suffix-header182- header:183name: X-header184presentMatch: true185- orIds:186ids:187- remoteIp:188addressPrefix: 10.99.10.8189prefixLen: 32190- remoteIp:191addressPrefix: 10.80.64.0192prefixLen: 18193- andIds:194ids:195- orIds:196ids:197- authenticated:198principalName:199exact: spiffe://rule[0]-from[1]-principal[1]200- authenticated:201principalName:202exact: spiffe://rule[0]-from[1]-principal[2]203- orIds:204ids:205- andIds:206ids:207- metadata:208filter: envoy.filters.http.jwt_authn209path:210- key: payload211- key: iss212value:213stringMatch:214exact: rule[0]-from[1]-requestPrincipal[1]215- metadata:216filter: envoy.filters.http.jwt_authn217path:218- key: payload219- key: sub220value:221stringMatch:222exact: ""223- andIds:224ids:225- metadata:226filter: envoy.filters.http.jwt_authn227path:228- key: payload229- key: iss230value:231stringMatch:232exact: rule[0]-from[1]-requestPrincipal[2]233- metadata:234filter: envoy.filters.http.jwt_authn235path:236- key: payload237- key: sub238value:239stringMatch:240exact: ""241- orIds:242ids:243- authenticated:244principalName:245safeRegex:246regex: .*/ns/rule[0]-from[1]-ns[1]/.*247- authenticated:248principalName:249safeRegex:250regex: .*/ns/rule[0]-from[1]-ns[2]/.*251- orIds:252ids:253- remoteIp:254addressPrefix: 172.17.8.0255prefixLen: 24256- remoteIp:257addressPrefix: 172.17.9.4258prefixLen: 32259- orIds:260ids:261- directRemoteIp:262addressPrefix: 10.0.1.1263prefixLen: 32264- directRemoteIp:265addressPrefix: 192.0.1.2266prefixLen: 32267- orIds:268ids:269- header:270name: X-header271stringMatch:272exact: header273- header:274name: X-header275stringMatch:276prefix: header-prefix-277- header:278name: X-header279stringMatch:280suffix: -suffix-header281- header:282name: X-header283presentMatch: true284- orIds:285ids:286- remoteIp:287addressPrefix: 10.99.10.8288prefixLen: 32289- remoteIp:290addressPrefix: 10.80.64.0291prefixLen: 18292ns[foo]-policy[httpbin]-rule[1]:293permissions:294- andRules:295rules:296- orRules:297rules:298- header:299name: :authority300stringMatch:301exact: rule[1]-to[0]-host[1]302ignoreCase: true303- header:304name: :authority305stringMatch:306exact: rule[1]-to[0]-host[2]307ignoreCase: true308- orRules:309rules:310- header:311name: :method312stringMatch:313exact: rule[1]-to[0]-method[1]314- header:315name: :method316stringMatch:317exact: rule[1]-to[0]-method[2]318- orRules:319rules:320- urlPath:321path:322exact: rule[1]-to[0]-path[1]323- urlPath:324path:325exact: rule[1]-to[0]-path[2]326- orRules:327rules:328- destinationPort: 9101329- destinationPort: 9102330- andRules:331rules:332- orRules:333rules:334- header:335name: :authority336stringMatch:337exact: rule[1]-to[1]-host[1]338ignoreCase: true339- header:340name: :authority341stringMatch:342exact: rule[1]-to[1]-host[2]343ignoreCase: true344- orRules:345rules:346- header:347name: :method348stringMatch:349exact: rule[1]-to[1]-method[1]350- header:351name: :method352stringMatch:353exact: rule[1]-to[1]-method[2]354- orRules:355rules:356- urlPath:357path:358exact: rule[1]-to[1]-path[1]359- urlPath:360path:361exact: rule[1]-to[1]-path[2]362- orRules:363rules:364- destinationPort: 9111365- destinationPort: 9112366principals:367- andIds:368ids:369- orIds:370ids:371- authenticated:372principalName:373exact: spiffe://rule[1]-from[0]-principal[1]374- authenticated:375principalName:376exact: spiffe://rule[1]-from[0]-principal[2]377- orIds:378ids:379- andIds:380ids:381- metadata:382filter: envoy.filters.http.jwt_authn383path:384- key: payload385- key: iss386value:387stringMatch:388exact: rule[1]-from[0]-requestPrincipal[1]389- metadata:390filter: envoy.filters.http.jwt_authn391path:392- key: payload393- key: sub394value:395stringMatch:396exact: ""397- andIds:398ids:399- metadata:400filter: envoy.filters.http.jwt_authn401path:402- key: payload403- key: iss404value:405stringMatch:406exact: rule[1]-from[0]-requestPrincipal[2]407- metadata:408filter: envoy.filters.http.jwt_authn409path:410- key: payload411- key: sub412value:413stringMatch:414exact: ""415- orIds:416ids:417- authenticated:418principalName:419safeRegex:420regex: .*/ns/rule[1]-from[0]-ns[1]/.*421- authenticated:422principalName:423safeRegex:424regex: .*/ns/rule[1]-from[0]-ns[2]/.*425- orIds:426ids:427- remoteIp:428addressPrefix: 172.22.2.0429prefixLen: 23430- remoteIp:431addressPrefix: 172.21.234.254432prefixLen: 32433- orIds:434ids:435- directRemoteIp:436addressPrefix: 10.1.0.1437prefixLen: 32438- directRemoteIp:439addressPrefix: 10.1.0.2440prefixLen: 32441- andIds:442ids:443- orIds:444ids:445- authenticated:446principalName:447exact: spiffe://rule[1]-from[1]-principal[1]448- authenticated:449principalName:450exact: spiffe://rule[1]-from[1]-principal[2]451- orIds:452ids:453- andIds:454ids:455- metadata:456filter: envoy.filters.http.jwt_authn457path:458- key: payload459- key: iss460value:461stringMatch:462exact: rule[1]-from[1]-requestPrincipal[1]463- metadata:464filter: envoy.filters.http.jwt_authn465path:466- key: payload467- key: sub468value:469stringMatch:470exact: ""471- andIds:472ids:473- metadata:474filter: envoy.filters.http.jwt_authn475path:476- key: payload477- key: iss478value:479stringMatch:480exact: rule[1]-from[1]-requestPrincipal[2]481- metadata:482filter: envoy.filters.http.jwt_authn483path:484- key: payload485- key: sub486value:487stringMatch:488exact: ""489- orIds:490ids:491- authenticated:492principalName:493safeRegex:494regex: .*/ns/rule[1]-from[1]-ns[1]/.*495- authenticated:496principalName:497safeRegex:498regex: .*/ns/rule[1]-from[1]-ns[2]/.*499- orIds:500ids:501- remoteIp:502addressPrefix: 192.168.4.0503prefixLen: 24504- remoteIp:505addressPrefix: 192.168.7.8506prefixLen: 32507- orIds:508ids:509- directRemoteIp:510addressPrefix: 10.1.1.1511prefixLen: 32512- directRemoteIp:513addressPrefix: 192.1.1.2514prefixLen: 32515shadowRulesStatPrefix: istio_dry_run_allow_516