istio
1name: envoy.filters.network.rbac
2typedConfig:
3'@type': type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC
4rules:
5action: DENY
6policies:
7ns[foo]-policy[httpbin-deny]-rule[0]:
8permissions:
9- andRules:
10rules:
11- any: true
12principals:
13- andIds:
14ids:
15- any: true
16ns[foo]-policy[httpbin-deny]-rule[1]:
17permissions:
18- andRules:
19rules:
20- any: true
21principals:
22- andIds:
23ids:
24- any: true
25ns[foo]-policy[httpbin-deny]-rule[2]:
26permissions:
27- andRules:
28rules:
29- any: true
30principals:
31- andIds:
32ids:
33- any: true
34ns[foo]-policy[httpbin-deny]-rule[3]:
35permissions:
36- andRules:
37rules:
38- any: true
39principals:
40- andIds:
41ids:
42- orIds:
43ids:
44- authenticated:
45principalName:
46safeRegex:
47regex: .*/ns/ns-1/.*
48ns[foo]-policy[httpbin-deny]-rule[4]:
49permissions:
50- andRules:
51rules:
52- orRules:
53rules:
54- destinationPort: 80
55principals:
56- andIds:
57ids:
58- any: true
59ns[foo]-policy[httpbin-deny]-rule[5]:
60permissions:
61- andRules:
62rules:
63- orRules:
64rules:
65- destinationPort: 8080
66principals:
67- andIds:
68ids:
69- any: true
70ns[foo]-policy[httpbin-deny]-rule[6]:
71permissions:
72- andRules:
73rules:
74- orRules:
75rules:
76- destinationPort: 8080
77principals:
78- andIds:
79ids:
80- orIds:
81ids:
82- authenticated:
83principalName:
84safeRegex:
85regex: .*/ns/ns-2/.*
86ns[foo]-policy[httpbin-deny]-rule[7]:
87permissions:
88- andRules:
89rules:
90- orRules:
91rules:
92- destinationPort: 80
93principals:
94- andIds:
95ids:
96- orIds:
97ids:
98- authenticated:
99principalName:
100safeRegex:
101regex: .*/ns/ns-1/.*
102ns[foo]-policy[httpbin-deny]-rule[8]:
103permissions:
104- andRules:
105rules:
106- any: true
107principals:
108- andIds:
109ids:
110- any: true
111ns[foo]-policy[httpbin-deny]-rule[9]:
112permissions:
113- andRules:
114rules:
115- orRules:
116rules:
117- destinationPort: 80
118principals:
119- andIds:
120ids:
121- any: true
122ns[foo]-policy[httpbin-deny]-rule[10]:
123permissions:
124- andRules:
125rules:
126- orRules:
127rules:
128- destinationPort: 80
129- notRule:
130orRules:
131rules:
132- destinationPort: 8000
133- orRules:
134rules:
135- destinationIp:
136addressPrefix: 10.10.10.10
137prefixLen: 32
138- notRule:
139orRules:
140rules:
141- destinationIp:
142addressPrefix: 90.10.10.10
143prefixLen: 32
144- orRules:
145rules:
146- destinationPort: 91
147- notRule:
148orRules:
149rules:
150- destinationPort: 9001
151- orRules:
152rules:
153- requestedServerName:
154exact: exact.com
155- notRule:
156orRules:
157rules:
158- requestedServerName:
159exact: not-exact.com
160- orRules:
161rules:
162- metadata:
163filter: envoy.filters.a.b
164path:
165- key: c
166value:
167stringMatch:
168exact: exact
169- notRule:
170orRules:
171rules:
172- metadata:
173filter: envoy.filters.a.b
174path:
175- key: c
176value:
177stringMatch:
178exact: not-exact
179principals:
180- andIds:
181ids:
182- orIds:
183ids:
184- authenticated:
185principalName:
186exact: spiffe://principal
187- authenticated:
188principalName:
189safeRegex:
190regex: spiffe://.*principal-suffix
191- authenticated:
192principalName:
193prefix: spiffe://principal-prefix
194- authenticated:
195principalName:
196safeRegex:
197regex: .+
198- notId:
199orIds:
200ids:
201- authenticated:
202principalName:
203exact: spiffe://not-principal
204- authenticated:
205principalName:
206safeRegex:
207regex: spiffe://.*not-principal-suffix
208- authenticated:
209principalName:
210prefix: spiffe://not-principal-prefix
211- authenticated:
212principalName:
213safeRegex:
214regex: .+
215- orIds:
216ids:
217- authenticated:
218principalName:
219safeRegex:
220regex: .*/ns/ns/.*
221- authenticated:
222principalName:
223safeRegex:
224regex: .*/ns/.*ns-suffix/.*
225- authenticated:
226principalName:
227safeRegex:
228regex: .*/ns/ns-prefix.*/.*
229- authenticated:
230principalName:
231safeRegex:
232regex: .*/ns/.*/.*
233- notId:
234orIds:
235ids:
236- authenticated:
237principalName:
238safeRegex:
239regex: .*/ns/not-ns/.*
240- authenticated:
241principalName:
242safeRegex:
243regex: .*/ns/.*not-ns-suffix/.*
244- authenticated:
245principalName:
246safeRegex:
247regex: .*/ns/not-ns-prefix.*/.*
248- authenticated:
249principalName:
250safeRegex:
251regex: .*/ns/.*/.*
252- orIds:
253ids:
254- remoteIp:
255addressPrefix: 172.18.4.0
256prefixLen: 22
257- notId:
258orIds:
259ids:
260- remoteIp:
261addressPrefix: 192.168.244.139
262prefixLen: 32
263- orIds:
264ids:
265- directRemoteIp:
266addressPrefix: 1.2.3.4
267prefixLen: 32
268- notId:
269orIds:
270ids:
271- directRemoteIp:
272addressPrefix: 9.0.0.1
273prefixLen: 32
274- orIds:
275ids:
276- directRemoteIp:
277addressPrefix: 10.10.10.10
278prefixLen: 32
279- notId:
280orIds:
281ids:
282- directRemoteIp:
283addressPrefix: 90.10.10.10
284prefixLen: 32
285- orIds:
286ids:
287- remoteIp:
288addressPrefix: 192.168.3.3
289prefixLen: 32
290- notId:
291orIds:
292ids:
293- remoteIp:
294addressPrefix: 172.19.31.3
295prefixLen: 32
296- orIds:
297ids:
298- authenticated:
299principalName:
300safeRegex:
301regex: .*/ns/ns/.*
302- authenticated:
303principalName:
304safeRegex:
305regex: .*/ns/.*ns-suffix/.*
306- authenticated:
307principalName:
308safeRegex:
309regex: .*/ns/ns-prefix.*/.*
310- authenticated:
311principalName:
312safeRegex:
313regex: .*/ns/.*/.*
314- notId:
315orIds:
316ids:
317- authenticated:
318principalName:
319safeRegex:
320regex: .*/ns/not-ns/.*
321- authenticated:
322principalName:
323safeRegex:
324regex: .*/ns/.*not-ns-suffix/.*
325- authenticated:
326principalName:
327safeRegex:
328regex: .*/ns/not-ns-prefix.*/.*
329- authenticated:
330principalName:
331safeRegex:
332regex: .*/ns/.*/.*
333- orIds:
334ids:
335- authenticated:
336principalName:
337exact: spiffe://principal
338- authenticated:
339principalName:
340safeRegex:
341regex: spiffe://.*principal-suffix
342- authenticated:
343principalName:
344prefix: spiffe://principal-prefix
345- authenticated:
346principalName:
347safeRegex:
348regex: .+
349- notId:
350orIds:
351ids:
352- authenticated:
353principalName:
354exact: spiffe://not-principal
355- authenticated:
356principalName:
357safeRegex:
358regex: spiffe://.*not-principal-suffix
359- authenticated:
360principalName:
361prefix: spiffe://not-principal-prefix
362- authenticated:
363principalName:
364safeRegex:
365regex: .+
366shadowRulesStatPrefix: istio_dry_run_allow_
367statPrefix: tcp.
368