istio
1name: envoy.filters.network.rbac2typedConfig:3'@type': type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC4rules:5action: DENY6policies:7ns[foo]-policy[httpbin-deny]-rule[0]:8permissions:9- andRules:10rules:11- any: true12principals:13- andIds:14ids:15- any: true16ns[foo]-policy[httpbin-deny]-rule[1]:17permissions:18- andRules:19rules:20- any: true21principals:22- andIds:23ids:24- any: true25ns[foo]-policy[httpbin-deny]-rule[2]:26permissions:27- andRules:28rules:29- any: true30principals:31- andIds:32ids:33- any: true34ns[foo]-policy[httpbin-deny]-rule[3]:35permissions:36- andRules:37rules:38- any: true39principals:40- andIds:41ids:42- orIds:43ids:44- authenticated:45principalName:46safeRegex:47regex: .*/ns/ns-1/.*48ns[foo]-policy[httpbin-deny]-rule[4]:49permissions:50- andRules:51rules:52- orRules:53rules:54- destinationPort: 8055principals:56- andIds:57ids:58- any: true59ns[foo]-policy[httpbin-deny]-rule[5]:60permissions:61- andRules:62rules:63- orRules:64rules:65- destinationPort: 808066principals:67- andIds:68ids:69- any: true70ns[foo]-policy[httpbin-deny]-rule[6]:71permissions:72- andRules:73rules:74- orRules:75rules:76- destinationPort: 808077principals:78- andIds:79ids:80- orIds:81ids:82- authenticated:83principalName:84safeRegex:85regex: .*/ns/ns-2/.*86ns[foo]-policy[httpbin-deny]-rule[7]:87permissions:88- andRules:89rules:90- orRules:91rules:92- destinationPort: 8093principals:94- andIds:95ids:96- orIds:97ids:98- authenticated:99principalName:100safeRegex:101regex: .*/ns/ns-1/.*102ns[foo]-policy[httpbin-deny]-rule[8]:103permissions:104- andRules:105rules:106- any: true107principals:108- andIds:109ids:110- any: true111ns[foo]-policy[httpbin-deny]-rule[9]:112permissions:113- andRules:114rules:115- orRules:116rules:117- destinationPort: 80118principals:119- andIds:120ids:121- any: true122ns[foo]-policy[httpbin-deny]-rule[10]:123permissions:124- andRules:125rules:126- orRules:127rules:128- destinationPort: 80129- notRule:130orRules:131rules:132- destinationPort: 8000133- orRules:134rules:135- destinationIp:136addressPrefix: 10.10.10.10137prefixLen: 32138- notRule:139orRules:140rules:141- destinationIp:142addressPrefix: 90.10.10.10143prefixLen: 32144- orRules:145rules:146- destinationPort: 91147- notRule:148orRules:149rules:150- destinationPort: 9001151- orRules:152rules:153- requestedServerName:154exact: exact.com155- notRule:156orRules:157rules:158- requestedServerName:159exact: not-exact.com160- orRules:161rules:162- metadata:163filter: envoy.filters.a.b164path:165- key: c166value:167stringMatch:168exact: exact169- notRule:170orRules:171rules:172- metadata:173filter: envoy.filters.a.b174path:175- key: c176value:177stringMatch:178exact: not-exact179principals:180- andIds:181ids:182- orIds:183ids:184- authenticated:185principalName:186exact: spiffe://principal187- authenticated:188principalName:189safeRegex:190regex: spiffe://.*principal-suffix191- authenticated:192principalName:193prefix: spiffe://principal-prefix194- authenticated:195principalName:196safeRegex:197regex: .+198- notId:199orIds:200ids:201- authenticated:202principalName:203exact: spiffe://not-principal204- authenticated:205principalName:206safeRegex:207regex: spiffe://.*not-principal-suffix208- authenticated:209principalName:210prefix: spiffe://not-principal-prefix211- authenticated:212principalName:213safeRegex:214regex: .+215- orIds:216ids:217- authenticated:218principalName:219safeRegex:220regex: .*/ns/ns/.*221- authenticated:222principalName:223safeRegex:224regex: .*/ns/.*ns-suffix/.*225- authenticated:226principalName:227safeRegex:228regex: .*/ns/ns-prefix.*/.*229- authenticated:230principalName:231safeRegex:232regex: .*/ns/.*/.*233- notId:234orIds:235ids:236- authenticated:237principalName:238safeRegex:239regex: .*/ns/not-ns/.*240- authenticated:241principalName:242safeRegex:243regex: .*/ns/.*not-ns-suffix/.*244- authenticated:245principalName:246safeRegex:247regex: .*/ns/not-ns-prefix.*/.*248- authenticated:249principalName:250safeRegex:251regex: .*/ns/.*/.*252- orIds:253ids:254- remoteIp:255addressPrefix: 172.18.4.0256prefixLen: 22257- notId:258orIds:259ids:260- remoteIp:261addressPrefix: 192.168.244.139262prefixLen: 32263- orIds:264ids:265- directRemoteIp:266addressPrefix: 1.2.3.4267prefixLen: 32268- notId:269orIds:270ids:271- directRemoteIp:272addressPrefix: 9.0.0.1273prefixLen: 32274- orIds:275ids:276- directRemoteIp:277addressPrefix: 10.10.10.10278prefixLen: 32279- notId:280orIds:281ids:282- directRemoteIp:283addressPrefix: 90.10.10.10284prefixLen: 32285- orIds:286ids:287- remoteIp:288addressPrefix: 192.168.3.3289prefixLen: 32290- notId:291orIds:292ids:293- remoteIp:294addressPrefix: 172.19.31.3295prefixLen: 32296- orIds:297ids:298- authenticated:299principalName:300safeRegex:301regex: .*/ns/ns/.*302- authenticated:303principalName:304safeRegex:305regex: .*/ns/.*ns-suffix/.*306- authenticated:307principalName:308safeRegex:309regex: .*/ns/ns-prefix.*/.*310- authenticated:311principalName:312safeRegex:313regex: .*/ns/.*/.*314- notId:315orIds:316ids:317- authenticated:318principalName:319safeRegex:320regex: .*/ns/not-ns/.*321- authenticated:322principalName:323safeRegex:324regex: .*/ns/.*not-ns-suffix/.*325- authenticated:326principalName:327safeRegex:328regex: .*/ns/not-ns-prefix.*/.*329- authenticated:330principalName:331safeRegex:332regex: .*/ns/.*/.*333- orIds:334ids:335- authenticated:336principalName:337exact: spiffe://principal338- authenticated:339principalName:340safeRegex:341regex: spiffe://.*principal-suffix342- authenticated:343principalName:344prefix: spiffe://principal-prefix345- authenticated:346principalName:347safeRegex:348regex: .+349- notId:350orIds:351ids:352- authenticated:353principalName:354exact: spiffe://not-principal355- authenticated:356principalName:357safeRegex:358regex: spiffe://.*not-principal-suffix359- authenticated:360principalName:361prefix: spiffe://not-principal-prefix362- authenticated:363principalName:364safeRegex:365regex: .+366shadowRulesStatPrefix: istio_dry_run_allow_367statPrefix: tcp.368