istio
1name: envoy.filters.network.rbac2typedConfig:3'@type': type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC4rules:5action: LOG6policies:7ns[foo]-policy[httpbin-audit]-rule[0]:8permissions:9- andRules:10rules:11- orRules:12rules:13- destinationPort: 8014- notRule:15orRules:16rules:17- destinationPort: 800018- orRules:19rules:20- destinationIp:21addressPrefix: 10.10.10.1022prefixLen: 3223- notRule:24orRules:25rules:26- destinationIp:27addressPrefix: 90.10.10.1028prefixLen: 3229- orRules:30rules:31- destinationPort: 9132- notRule:33orRules:34rules:35- destinationPort: 900136- orRules:37rules:38- requestedServerName:39exact: exact.com40- notRule:41orRules:42rules:43- requestedServerName:44exact: not-exact.com45- orRules:46rules:47- metadata:48filter: envoy.filters.a.b49path:50- key: c51value:52stringMatch:53exact: exact54- notRule:55orRules:56rules:57- metadata:58filter: envoy.filters.a.b59path:60- key: c61value:62stringMatch:63exact: not-exact64principals:65- andIds:66ids:67- orIds:68ids:69- authenticated:70principalName:71exact: spiffe://principal72- notId:73orIds:74ids:75- authenticated:76principalName:77exact: spiffe://not-principal78- orIds:79ids:80- authenticated:81principalName:82safeRegex:83regex: .*/ns/ns/.*84- notId:85orIds:86ids:87- authenticated:88principalName:89safeRegex:90regex: .*/ns/not-ns/.*91- orIds:92ids:93- remoteIp:94addressPrefix: 10.250.90.495prefixLen: 3296- notId:97orIds:98ids:99- remoteIp:100addressPrefix: 10.133.154.65101prefixLen: 32102- orIds:103ids:104- directRemoteIp:105addressPrefix: 1.2.3.4106prefixLen: 32107- notId:108orIds:109ids:110- directRemoteIp:111addressPrefix: 9.0.0.1112prefixLen: 32113- orIds:114ids:115- directRemoteIp:116addressPrefix: 10.10.10.10117prefixLen: 32118- notId:119orIds:120ids:121- directRemoteIp:122addressPrefix: 90.10.10.10123prefixLen: 32124- orIds:125ids:126- remoteIp:127addressPrefix: 192.168.7.7128prefixLen: 32129- notId:130orIds:131ids:132- remoteIp:133addressPrefix: 192.168.10.9134prefixLen: 32135- orIds:136ids:137- authenticated:138principalName:139safeRegex:140regex: .*/ns/ns/.*141- notId:142orIds:143ids:144- authenticated:145principalName:146safeRegex:147regex: .*/ns/not-ns/.*148- orIds:149ids:150- authenticated:151principalName:152exact: spiffe://principal153- notId:154orIds:155ids:156- authenticated:157principalName:158exact: spiffe://not-principal159shadowRulesStatPrefix: istio_dry_run_allow_160statPrefix: tcp.161