istio
1name: envoy.filters.http.rbac
2typedConfig:
3'@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC
4rules:
5policies:
6ns[foo]-policy[httpbin-1]-rule[0]:
7permissions:
8- andRules:
9rules:
10- orRules:
11rules:
12- header:
13name: :method
14stringMatch:
15exact: GET
16- header:
17name: :method
18stringMatch:
19exact: POST
20principals:
21- andIds:
22ids:
23- any: true
24ns[foo]-policy[httpbin-2]-rule[0]:
25permissions:
26- andRules:
27rules:
28- orRules:
29rules:
30- urlPath:
31path:
32exact: /v1
33- urlPath:
34path:
35exact: /v2
36principals:
37- andIds:
38ids:
39- any: true
40ns[foo]-policy[httpbin-3]-rule[0]:
41permissions:
42- andRules:
43rules:
44- orRules:
45rules:
46- header:
47name: :authority
48stringMatch:
49exact: google.com
50ignoreCase: true
51- header:
52name: :authority
53stringMatch:
54exact: httpbin.org
55ignoreCase: true
56principals:
57- andIds:
58ids:
59- any: true
60ns[foo]-policy[httpbin-4]-rule[0]:
61permissions:
62- andRules:
63rules:
64- orRules:
65rules:
66- destinationPort: 80
67- destinationPort: 90
68principals:
69- andIds:
70ids:
71- any: true
72ns[foo]-policy[httpbin-5]-rule[0]:
73permissions:
74- andRules:
75rules:
76- any: true
77principals:
78- andIds:
79ids:
80- orIds:
81ids:
82- authenticated:
83principalName:
84exact: spiffe://principals1
85- authenticated:
86principalName:
87exact: spiffe://principals2
88ns[foo]-policy[httpbin-6]-rule[0]:
89permissions:
90- andRules:
91rules:
92- any: true
93principals:
94- andIds:
95ids:
96- orIds:
97ids:
98- metadata:
99filter: istio_authn
100path:
101- key: request.auth.principal
102value:
103stringMatch:
104exact: requestPrincipals1
105- metadata:
106filter: istio_authn
107path:
108- key: request.auth.principal
109value:
110stringMatch:
111exact: requestPrincipals2
112ns[foo]-policy[httpbin-7]-rule[0]:
113permissions:
114- andRules:
115rules:
116- any: true
117principals:
118- andIds:
119ids:
120- orIds:
121ids:
122- authenticated:
123principalName:
124safeRegex:
125regex: .*/ns/namespaces1/.*
126- authenticated:
127principalName:
128safeRegex:
129regex: .*/ns/namespaces2/.*
130ns[foo]-policy[httpbin-8]-rule[0]:
131permissions:
132- andRules:
133rules:
134- any: true
135principals:
136- andIds:
137ids:
138- orIds:
139ids:
140- directRemoteIp:
141addressPrefix: 1.2.3.4
142prefixLen: 32
143- directRemoteIp:
144addressPrefix: 5.6.7.0
145prefixLen: 24
146ns[foo]-policy[httpbin-9]-rule[0]:
147permissions:
148- andRules:
149rules:
150- any: true
151principals:
152- andIds:
153ids:
154- orIds:
155ids:
156- header:
157name: X-abc
158stringMatch:
159exact: abc1
160- header:
161name: X-abc
162stringMatch:
163exact: abc2
164shadowRulesStatPrefix: istio_dry_run_allow_
165