istio
37 строк · 1.2 Кб
1name: envoy.filters.http.rbac
2typedConfig:
3'@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC
4rules:
5policies:
6ns[foo]-policy[httpbin]-rule[0]:
7permissions:
8- andRules:
9rules:
10- any: true
11principals:
12- andIds:
13ids:
14- orIds:
15ids:
16- authenticated:
17principalName:
18safeRegex:
19regex: .*/ns/istio-system/.*
20- orIds:
21ids:
22- authenticated:
23principalName:
24safeRegex:
25regex: .+
26- authenticated:
27principalName:
28safeRegex:
29regex: spiffe://.*/ns/foo/sa/all-td
30- authenticated:
31principalName:
32safeRegex:
33regex: spiffe://.*-td/ns/foo/sa/prefix-td
34- authenticated:
35principalName:
36exact: spiffe://some-trustdomain/ns/foo/sa/prefix-td
37shadowRulesStatPrefix: istio_dry_run_allow_
38