/
envoy.istio
/
istio
GigaCode
beta
ОбзорЦентр заботыВойти

istio

Форк
0
Ветки: 75Коммиты: 22559Теги: 336
istio
/pilot
/pkg
/security
/authz
/builder
/testdata
/tcp
/
audit-both-http-tcp-out.yaml 
160 строк · 4.8 Кб
1
name: envoy.filters.network.rbac
2
typedConfig:
3
  '@type': type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC
4
  rules:
5
    action: LOG
6
    policies:
7
      ns[foo]-policy[httpbin-audit]-rule[0]:
8
        permissions:
9
        - andRules:
10
            rules:
11
            - orRules:
12
                rules:
13
                - destinationPort: 80
14
            - notRule:
15
                orRules:
16
                  rules:
17
                  - destinationPort: 8000
18
            - orRules:
19
                rules:
20
                - destinationIp:
21
                    addressPrefix: 10.10.10.10
22
                    prefixLen: 32
23
            - notRule:
24
                orRules:
25
                  rules:
26
                  - destinationIp:
27
                      addressPrefix: 90.10.10.10
28
                      prefixLen: 32
29
            - orRules:
30
                rules:
31
                - destinationPort: 91
32
            - notRule:
33
                orRules:
34
                  rules:
35
                  - destinationPort: 9001
36
            - orRules:
37
                rules:
38
                - requestedServerName:
39
                    exact: exact.com
40
            - notRule:
41
                orRules:
42
                  rules:
43
                  - requestedServerName:
44
                      exact: not-exact.com
45
            - orRules:
46
                rules:
47
                - metadata:
48
                    filter: envoy.filters.a.b
49
                    path:
50
                    - key: c
51
                    value:
52
                      stringMatch:
53
                        exact: exact
54
            - notRule:
55
                orRules:
56
                  rules:
57
                  - metadata:
58
                      filter: envoy.filters.a.b
59
                      path:
60
                      - key: c
61
                      value:
62
                        stringMatch:
63
                          exact: not-exact
64
        principals:
65
        - andIds:
66
            ids:
67
            - orIds:
68
                ids:
69
                - authenticated:
70
                    principalName:
71
                      exact: spiffe://principal
72
            - notId:
73
                orIds:
74
                  ids:
75
                  - authenticated:
76
                      principalName:
77
                        exact: spiffe://not-principal
78
            - orIds:
79
                ids:
80
                - authenticated:
81
                    principalName:
82
                      safeRegex:
83
                        regex: .*/ns/ns/.*
84
            - notId:
85
                orIds:
86
                  ids:
87
                  - authenticated:
88
                      principalName:
89
                        safeRegex:
90
                          regex: .*/ns/not-ns/.*
91
            - orIds:
92
                ids:
93
                - remoteIp:
94
                    addressPrefix: 10.250.90.4
95
                    prefixLen: 32
96
            - notId:
97
                orIds:
98
                  ids:
99
                  - remoteIp:
100
                      addressPrefix: 10.133.154.65
101
                      prefixLen: 32
102
            - orIds:
103
                ids:
104
                - directRemoteIp:
105
                    addressPrefix: 1.2.3.4
106
                    prefixLen: 32
107
            - notId:
108
                orIds:
109
                  ids:
110
                  - directRemoteIp:
111
                      addressPrefix: 9.0.0.1
112
                      prefixLen: 32
113
            - orIds:
114
                ids:
115
                - directRemoteIp:
116
                    addressPrefix: 10.10.10.10
117
                    prefixLen: 32
118
            - notId:
119
                orIds:
120
                  ids:
121
                  - directRemoteIp:
122
                      addressPrefix: 90.10.10.10
123
                      prefixLen: 32
124
            - orIds:
125
                ids:
126
                - remoteIp:
127
                    addressPrefix: 192.168.7.7
128
                    prefixLen: 32
129
            - notId:
130
                orIds:
131
                  ids:
132
                  - remoteIp:
133
                      addressPrefix: 192.168.10.9
134
                      prefixLen: 32
135
            - orIds:
136
                ids:
137
                - authenticated:
138
                    principalName:
139
                      safeRegex:
140
                        regex: .*/ns/ns/.*
141
            - notId:
142
                orIds:
143
                  ids:
144
                  - authenticated:
145
                      principalName:
146
                        safeRegex:
147
                          regex: .*/ns/not-ns/.*
148
            - orIds:
149
                ids:
150
                - authenticated:
151
                    principalName:
152
                      exact: spiffe://principal
153
            - notId:
154
                orIds:
155
                  ids:
156
                  - authenticated:
157
                      principalName:
158
                        exact: spiffe://not-principal
159
  shadowRulesStatPrefix: istio_dry_run_allow_
160
  statPrefix: tcp.
161

Использование cookies

Мы используем файлы cookie в соответствии с Политикой конфиденциальности и Политикой использования cookies.

Нажимая кнопку «Принимаю», Вы даете АО «СберТех» согласие на обработку Ваших персональных данных в целях совершенствования нашего веб-сайта и Сервиса GitVerse, а также повышения удобства их использования.

Запретить использование cookies Вы можете самостоятельно в настройках Вашего браузера.