istio
1name: envoy.filters.http.rbac2typedConfig:3'@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC4rules:5policies:6ns[foo]-policy[httpbin]-rule[0]:7permissions:8- andRules:9rules:10- orRules:11rules:12- header:13name: :authority14stringMatch:15exact: rule[0]-to[0]-host[1]16ignoreCase: true17- header:18name: :authority19stringMatch:20exact: rule[0]-to[0]-host[2]21ignoreCase: true22- orRules:23rules:24- header:25name: :method26stringMatch:27exact: rule[0]-to[0]-method[1]28- header:29name: :method30stringMatch:31exact: rule[0]-to[0]-method[2]32- orRules:33rules:34- urlPath:35path:36exact: rule[0]-to[0]-path[1]37- urlPath:38path:39exact: rule[0]-to[0]-path[2]40- orRules:41rules:42- destinationPort: 900143- destinationPort: 900244- orRules:45rules:46- destinationIp:47addressPrefix: 10.10.10.1048prefixLen: 3249- destinationIp:50addressPrefix: 192.168.10.051prefixLen: 2452- andRules:53rules:54- orRules:55rules:56- header:57name: :authority58stringMatch:59exact: rule[0]-to[1]-host[1]60ignoreCase: true61- header:62name: :authority63stringMatch:64exact: rule[0]-to[1]-host[2]65ignoreCase: true66- orRules:67rules:68- header:69name: :method70stringMatch:71exact: rule[0]-to[1]-method[1]72- header:73name: :method74stringMatch:75exact: rule[0]-to[1]-method[2]76- orRules:77rules:78- urlPath:79path:80exact: rule[0]-to[1]-path[1]81- urlPath:82path:83exact: rule[0]-to[1]-path[2]84- orRules:85rules:86- destinationPort: 901187- destinationPort: 901288- orRules:89rules:90- destinationIp:91addressPrefix: 10.10.10.1092prefixLen: 3293- destinationIp:94addressPrefix: 192.168.10.095prefixLen: 2496principals:97- andIds:98ids:99- orIds:100ids:101- authenticated:102principalName:103exact: spiffe://rule[0]-from[0]-principal[1]104- authenticated:105principalName:106exact: spiffe://rule[0]-from[0]-principal[2]107- orIds:108ids:109- metadata:110filter: istio_authn111path:112- key: request.auth.principal113value:114stringMatch:115exact: rule[0]-from[0]-requestPrincipal[1]116- metadata:117filter: istio_authn118path:119- key: request.auth.principal120value:121stringMatch:122exact: rule[0]-from[0]-requestPrincipal[2]123- orIds:124ids:125- authenticated:126principalName:127safeRegex:128regex: .*/ns/rule[0]-from[0]-ns[1]/.*129- authenticated:130principalName:131safeRegex:132regex: .*/ns/rule[0]-from[0]-ns[2]/.*133- orIds:134ids:135- remoteIp:136addressPrefix: 172.16.10.10137prefixLen: 32138- orIds:139ids:140- directRemoteIp:141addressPrefix: 10.0.0.1142prefixLen: 32143- directRemoteIp:144addressPrefix: 10.0.0.2145prefixLen: 32146- orIds:147ids:148- header:149name: X-header150stringMatch:151exact: header152- header:153name: X-header154stringMatch:155prefix: header-prefix-156- header:157name: X-header158stringMatch:159suffix: -suffix-header160- header:161name: X-header162presentMatch: true163- orIds:164ids:165- remoteIp:166addressPrefix: 10.99.10.8167prefixLen: 32168- remoteIp:169addressPrefix: 10.80.64.0170prefixLen: 18171- andIds:172ids:173- orIds:174ids:175- authenticated:176principalName:177exact: spiffe://rule[0]-from[1]-principal[1]178- authenticated:179principalName:180exact: spiffe://rule[0]-from[1]-principal[2]181- orIds:182ids:183- metadata:184filter: istio_authn185path:186- key: request.auth.principal187value:188stringMatch:189exact: rule[0]-from[1]-requestPrincipal[1]190- metadata:191filter: istio_authn192path:193- key: request.auth.principal194value:195stringMatch:196exact: rule[0]-from[1]-requestPrincipal[2]197- orIds:198ids:199- authenticated:200principalName:201safeRegex:202regex: .*/ns/rule[0]-from[1]-ns[1]/.*203- authenticated:204principalName:205safeRegex:206regex: .*/ns/rule[0]-from[1]-ns[2]/.*207- orIds:208ids:209- remoteIp:210addressPrefix: 172.17.8.0211prefixLen: 24212- remoteIp:213addressPrefix: 172.17.9.4214prefixLen: 32215- orIds:216ids:217- directRemoteIp:218addressPrefix: 10.0.1.1219prefixLen: 32220- directRemoteIp:221addressPrefix: 192.0.1.2222prefixLen: 32223- orIds:224ids:225- header:226name: X-header227stringMatch:228exact: header229- header:230name: X-header231stringMatch:232prefix: header-prefix-233- header:234name: X-header235stringMatch:236suffix: -suffix-header237- header:238name: X-header239presentMatch: true240- orIds:241ids:242- remoteIp:243addressPrefix: 10.99.10.8244prefixLen: 32245- remoteIp:246addressPrefix: 10.80.64.0247prefixLen: 18248ns[foo]-policy[httpbin]-rule[1]:249permissions:250- andRules:251rules:252- orRules:253rules:254- header:255name: :authority256stringMatch:257exact: rule[1]-to[0]-host[1]258ignoreCase: true259- header:260name: :authority261stringMatch:262exact: rule[1]-to[0]-host[2]263ignoreCase: true264- orRules:265rules:266- header:267name: :method268stringMatch:269exact: rule[1]-to[0]-method[1]270- header:271name: :method272stringMatch:273exact: rule[1]-to[0]-method[2]274- orRules:275rules:276- urlPath:277path:278exact: rule[1]-to[0]-path[1]279- urlPath:280path:281exact: rule[1]-to[0]-path[2]282- orRules:283rules:284- destinationPort: 9101285- destinationPort: 9102286- andRules:287rules:288- orRules:289rules:290- header:291name: :authority292stringMatch:293exact: rule[1]-to[1]-host[1]294ignoreCase: true295- header:296name: :authority297stringMatch:298exact: rule[1]-to[1]-host[2]299ignoreCase: true300- orRules:301rules:302- header:303name: :method304stringMatch:305exact: rule[1]-to[1]-method[1]306- header:307name: :method308stringMatch:309exact: rule[1]-to[1]-method[2]310- orRules:311rules:312- urlPath:313path:314exact: rule[1]-to[1]-path[1]315- urlPath:316path:317exact: rule[1]-to[1]-path[2]318- orRules:319rules:320- destinationPort: 9111321- destinationPort: 9112322principals:323- andIds:324ids:325- orIds:326ids:327- authenticated:328principalName:329exact: spiffe://rule[1]-from[0]-principal[1]330- authenticated:331principalName:332exact: spiffe://rule[1]-from[0]-principal[2]333- orIds:334ids:335- metadata:336filter: istio_authn337path:338- key: request.auth.principal339value:340stringMatch:341exact: rule[1]-from[0]-requestPrincipal[1]342- metadata:343filter: istio_authn344path:345- key: request.auth.principal346value:347stringMatch:348exact: rule[1]-from[0]-requestPrincipal[2]349- orIds:350ids:351- authenticated:352principalName:353safeRegex:354regex: .*/ns/rule[1]-from[0]-ns[1]/.*355- authenticated:356principalName:357safeRegex:358regex: .*/ns/rule[1]-from[0]-ns[2]/.*359- orIds:360ids:361- remoteIp:362addressPrefix: 172.22.2.0363prefixLen: 23364- remoteIp:365addressPrefix: 172.21.234.254366prefixLen: 32367- orIds:368ids:369- directRemoteIp:370addressPrefix: 10.1.0.1371prefixLen: 32372- directRemoteIp:373addressPrefix: 10.1.0.2374prefixLen: 32375- andIds:376ids:377- orIds:378ids:379- authenticated:380principalName:381exact: spiffe://rule[1]-from[1]-principal[1]382- authenticated:383principalName:384exact: spiffe://rule[1]-from[1]-principal[2]385- orIds:386ids:387- metadata:388filter: istio_authn389path:390- key: request.auth.principal391value:392stringMatch:393exact: rule[1]-from[1]-requestPrincipal[1]394- metadata:395filter: istio_authn396path:397- key: request.auth.principal398value:399stringMatch:400exact: rule[1]-from[1]-requestPrincipal[2]401- orIds:402ids:403- authenticated:404principalName:405safeRegex:406regex: .*/ns/rule[1]-from[1]-ns[1]/.*407- authenticated:408principalName:409safeRegex:410regex: .*/ns/rule[1]-from[1]-ns[2]/.*411- orIds:412ids:413- remoteIp:414addressPrefix: 192.168.4.0415prefixLen: 24416- remoteIp:417addressPrefix: 192.168.7.8418prefixLen: 32419- orIds:420ids:421- directRemoteIp:422addressPrefix: 10.1.1.1423prefixLen: 32424- directRemoteIp:425addressPrefix: 192.1.1.2426prefixLen: 32427shadowRulesStatPrefix: istio_dry_run_allow_428