istio
1apiVersion: security.istio.io/v1beta1
2kind: AuthorizationPolicy
3metadata:
4name: httpbin-deny
5namespace: foo
6spec:
7action: CUSTOM
8provider:
9name: default
10rules:
11# rule[0] `from`: nil, `to`: HTTP field.
12- to:
13- operation:
14methods: ["GET"]
15# rule[1] `from`: TCP field, `to`: HTTP field.
16- from:
17- source:
18ipBlocks: ["1.2.3.4"]
19to:
20- operation:
21methods: ["GET"]
22# rule[2] `from`: TCP field, `to`: TCP field.
23- from:
24- source:
25ipBlocks: ["1.2.3.4"]
26to:
27- operation:
28ports: ["80"]
29# rule[3] `from`: nil, `to`: nil, `when`: HTTP field.
30- when:
31- key: "request.headers[:method]"
32values: ["GET"]
33# rule[4] `from`: nil, `to`: nil, `when`: TCP field.
34- when:
35- key: "destination.port"
36values: ["80"]
37# rule[5] `from`: all fields, `to`: all fields, `when`: all fields.
38- from:
39- source:
40ipBlocks: ["1.2.3.4"]
41remoteIpBlocks: ["172.18.4.0/22"]
42notIpBlocks: ["9.0.0.1"]
43notRemoteIpBlocks: ["192.168.244.139"]
44to:
45- operation:
46methods: ["method"]
47hosts: ["exact.com"]
48ports: ["80"]
49paths: ["/exact"]
50notMethods: ["not-method"]
51notHosts: ["not-exact.com"]
52notPorts: ["8000"]
53notPaths: ["/not-exact"]
54when:
55- key: "request.headers[X-header]"
56values: ["header"]
57notValues: ["not-header"]
58