/
envoy.istio
/
istio
GigaCode
beta
ОбзорЦентр заботыВойти

istio

Форк
0
Ветки: 75Коммиты: 22559Теги: 336
istio
/pilot
/pkg
/security
/authz
/builder
/testdata
/tcp
/
deny-both-http-tcp-in.yaml 
132 строки · 3.9 Кб
1
apiVersion: security.istio.io/v1beta1
2
kind: AuthorizationPolicy
3
metadata:
4
  name: httpbin-deny
5
  namespace: foo
6
spec:
7
  action: DENY
8
  rules:
9
  # rule[0] `from`: HTTP field, `to`: HTTP field.
10
  - from:
11
    - source:
12
        requestPrincipals: ["id-1"]
13
    to:
14
    - operation:
15
        methods: ["GET"]
16
  # rule[1] `from`: nil, `to`: HTTP field.
17
  - to:
18
    - operation:
19
        methods: ["GET"]
20
  # rule[2] `from`: HTTP field, `to`: nil.
21
  - from:
22
    - source:
23
          requestPrincipals: ["id-1"]
24
  # rule[3] `from`: TCP field, `to`: HTTP field.
25
  - from:
26
    - source:
27
        namespaces: ["ns-1"]
28
    to:
29
    - operation:
30
          methods: ["GET"]
31
  # rule[4] `from`: HTTP field, `to`: TCP field.
32
  - from:
33
    - source:
34
          requestPrincipals: ["id-1"]
35
    to:
36
    - operation:
37
          ports: ["80"]
38
   # rule[5] `from`: HTTP field, `to`: HTTP + TCP field.
39
  - from:
40
    - source:
41
          requestPrincipals: ["id-1"]
42
    to:
43
    - operation:
44
          ports: ["8080"]
45
          methods: ["GET"]
46
  # rule[6] `from`: HTTP field, `to`: HTTP + TCP field.
47
  - from:
48
    - source:
49
          namespaces: ["ns-2"]
50
          requestPrincipals: ["id-1"]
51
    to:
52
    - operation:
53
          ports: ["8080"]
54
          methods: ["GET"]
55
  # rule[7] `from`: TCP field, `to`: TCP field.
56
  - from:
57
    - source:
58
        namespaces: ["ns-1"]
59
    to:
60
    - operation:
61
        ports: ["80"]
62
  # rule[8] `from`: nil, `to`: nil, `when`: HTTP field.
63
  - when:
64
    - key: "request.headers[:method]"
65
      values: ["GET"]
66
  # rule[9] `from`: nil, `to`: nil, `when`: TCP field.
67
  - when:
68
    - key: "destination.port"
69
      values: ["80"]
70
  # rule[10] `from`: all fields, `to`: all fields, `when`: all fields.
71
  - from:
72
    - source:
73
        principals: ["principal", "*principal-suffix", "principal-prefix*", "*"]
74
        requestPrincipals: ["requestPrincipals"]
75
        namespaces: ["ns", "*ns-suffix", "ns-prefix*", "*"]
76
        ipBlocks: ["1.2.3.4"]
77
        remoteIpBlocks: ["172.18.4.0/22"]
78
        notPrincipals: ["not-principal", "*not-principal-suffix", "not-principal-prefix*", "*"]
79
        notRequestPrincipals: ["not-requestPrincipals"]
80
        notNamespaces: ["not-ns", "*not-ns-suffix", "not-ns-prefix*", "*"]
81
        notIpBlocks: ["9.0.0.1"]
82
        notRemoteIpBlocks: ["192.168.244.139"]
83
    to:
84
    - operation:
85
        methods: ["method"]
86
        hosts: ["exact.com"]
87
        ports: ["80"]
88
        paths: ["/exact"]
89
        notMethods: ["not-method"]
90
        notHosts: ["not-exact.com"]
91
        notPorts: ["8000"]
92
        notPaths: ["/not-exact"]
93
    when:
94
      - key: "request.headers[X-header]"
95
        values: ["header"]
96
        notValues: ["not-header"]
97
      - key: "source.ip"
98
        values: ["10.10.10.10"]
99
        notValues: ["90.10.10.10"]
100
      - key: "remote.ip"
101
        values: ["192.168.3.3"]
102
        notValues: ["172.19.31.3"]
103
      - key: "source.namespace"
104
        values: ["ns", "*ns-suffix", "ns-prefix*", "*"]
105
        notValues: ["not-ns", "*not-ns-suffix", "not-ns-prefix*", "*"]
106
      - key: "source.principal"
107
        values: ["principal", "*principal-suffix", "principal-prefix*", "*"]
108
        notValues: ["not-principal", "*not-principal-suffix", "not-principal-prefix*", "*"]
109
      - key: "request.auth.principal"
110
        values: ["requestPrincipals"]
111
        notValues: ["not-requestPrincipals"]
112
      - key: "request.auth.audiences"
113
        values: ["audiences"]
114
        notValues: ["not-audiences"]
115
      - key: "request.auth.presenter"
116
        values: ["presenter"]
117
        notValues: ["not-presenter"]
118
      - key: "request.auth.claims[iss]"
119
        values: ["iss"]
120
        notValues: ["not-iss"]
121
      - key: "destination.ip"
122
        values: ["10.10.10.10"]
123
        notValues: ["90.10.10.10"]
124
      - key: "destination.port"
125
        values: ["91"]
126
        notValues: ["9001"]
127
      - key: "connection.sni"
128
        values: ["exact.com"]
129
        notValues: ["not-exact.com"]
130
      - key: "experimental.envoy.filters.a.b[c]"
131
        values: ["exact"]
132
        notValues: ["not-exact"]
133

Использование cookies

Мы используем файлы cookie в соответствии с Политикой конфиденциальности и Политикой использования cookies.

Нажимая кнопку «Принимаю», Вы даете АО «СберТех» согласие на обработку Ваших персональных данных в целях совершенствования нашего веб-сайта и Сервиса GitVerse, а также повышения удобства их использования.

Запретить использование cookies Вы можете самостоятельно в настройках Вашего браузера.