istio
99 строк · 4.0 Кб
1apiVersion: security.istio.io/v1beta12kind: AuthorizationPolicy3metadata:4name: allow5spec:6action: ALLOW7rules:8- from:9- source:10principals: [ "principal", "principal-prefix-*", "*-suffix-principal", "*" ]11notPrincipals: [ "not-principal", "not-principal-prefix-*", "*-suffix-not-principal", "*" ]12- from:13- source:14requestPrincipals: [ "requestPrincipals", "requestPrincipals-prefix-*", "*-suffix-requestPrincipals", "*" ]15notRequestPrincipals: [ "not-requestPrincipals", "not-requestPrincipals-prefix-*", "*-suffix-not-requestPrincipals", "*" ]16- from:17- source:18namespaces: [ "ns", "ns-prefix-*", "*-ns-suffix", "*" ]19notNamespaces: [ "not-ns", "not-ns-prefix-*", "*-not-ns-suffix", "*" ]20- from:21- source:22ipBlocks: [ "1.2.3.4", "5.6.0.0/16" ]23notIpBlocks: [ "2.2.3.4", "6.6.0.0/16" ]24- from:25- source:26remoteIpBlocks: [ "1.2.3.4", "5.6.0.0/16" ]27notRemoteIpBlocks: [ "2.2.3.4", "6.6.0.0/16" ]28- to:29- operation:30methods: ["method", "method-prefix-*", "*-suffix-method", "*"]31notMethods: ["not-method", "not-method-prefix-*", "*-suffix-not-method", "*"]32- to:33- operation:34hosts: ["exact.com", "*.suffix.com", "prefix.*", "*"]35notHosts: ["not-exact.com", "*.not-suffix.com", "not-prefix.*", "*"]36- to:37- operation:38ports: ["80", "90"]39notPorts: ["800", "900"]40- to:41- operation:42paths: ["/exact", "/prefix/*", "*/suffix", "*"]43notPaths: ["/not-exact", "/not-prefix/*", "*/not-suffix", "*"]44- when:45- key: "request.headers[X-header]"46values: ["header", "header-prefix-*", "*-suffix-header", "*"]47notValues: ["not-header", "not-header-prefix-*", "*-not-suffix-header", "*"]48- when:49- key: "source.ip"50values: ["10.10.10.10", "192.168.10.0/24"]51notValues: ["90.10.10.10", "90.168.10.0/24"]52- when:53- key: "remote.ip"54values: ["10.10.10.10", "192.168.10.0/24"]55notValues: ["90.10.10.10", "90.168.10.0/24"]56- when:57- key: "source.namespace"58values: ["ns", "ns-prefix-*", "*-ns-suffix", "*"]59notValues: ["not-ns", "not-ns-prefix-*", "*-not-ns-suffix", "*"]60- when:61- key: "source.principal"62values: ["principal", "principal-prefix-*", "*-suffix-principal", "*"]63notValues: ["not-principal", "not-principal-prefix-*", "*-not-suffix-principal", "*"]64- when:65- key: "request.auth.principal"66values: ["requestPrincipals", "requestPrincipals-prefix-*", "*-suffix-requestPrincipals", "*"]67notValues: ["not-requestPrincipals", "not-requestPrincipals-prefix-*", "*-not-suffix-requestPrincipals", "*"]68- when:69- key: "request.auth.audiences"70values: ["audiences", "audiences-prefix-*", "*-suffix-audiences", "*"]71notValues: ["not-audiences", "not-audiences-prefix-*", "*-not-suffix-audiences", "*"]72- when:73- key: "request.auth.presenter"74values: ["presenter", "presenter-prefix-*", "*-suffix-presenter", "*"]75notValues: ["not-presenter", "not-presenter-prefix-*", "*-not-suffix-presenter", "*"]76- when:77- key: "request.auth.claims[iss]"78values: ["iss", "iss-prefix-*", "*-suffix-iss", "*"]79notValues: ["not-iss", "not-iss-prefix-*", "*-not-suffix-iss", "*"]80- when:81- key: "request.auth.claims[nested1][nested2]"82values: ["nested", "nested-prefix-*", "*-suffix-nested", "*"]83notValues: ["not-nested", "not-nested-prefix-*", "*-not-suffix-nested", "*"]84- when:85- key: "destination.ip"86values: ["10.10.10.10", "192.168.10.0/24"]87notValues: ["90.10.10.10", "90.168.10.0/24"]88- when:89- key: "destination.port"90values: ["91", "92"]91notValues: ["9001", "9002"]92- when:93- key: "connection.sni"94values: ["exact.com", "*.suffix.com", "prefix.*", "*"]95notValues: ["not-exact.com", "*.not-suffix.com", "not-prefix.*", "*"]96- when:97- key: "experimental.envoy.filters.a.b[c]"98values: ["exact", "prefix-*", "*-suffix", "*"]99notValues: ["not-exact", "not-prefix-*", "*-not-suffix", "*"]100