istio
99 строк · 4.0 Кб
1apiVersion: security.istio.io/v1beta1
2kind: AuthorizationPolicy
3metadata:
4name: allow
5spec:
6action: ALLOW
7rules:
8- from:
9- source:
10principals: [ "principal", "principal-prefix-*", "*-suffix-principal", "*" ]
11notPrincipals: [ "not-principal", "not-principal-prefix-*", "*-suffix-not-principal", "*" ]
12- from:
13- source:
14requestPrincipals: [ "requestPrincipals", "requestPrincipals-prefix-*", "*-suffix-requestPrincipals", "*" ]
15notRequestPrincipals: [ "not-requestPrincipals", "not-requestPrincipals-prefix-*", "*-suffix-not-requestPrincipals", "*" ]
16- from:
17- source:
18namespaces: [ "ns", "ns-prefix-*", "*-ns-suffix", "*" ]
19notNamespaces: [ "not-ns", "not-ns-prefix-*", "*-not-ns-suffix", "*" ]
20- from:
21- source:
22ipBlocks: [ "1.2.3.4", "5.6.0.0/16" ]
23notIpBlocks: [ "2.2.3.4", "6.6.0.0/16" ]
24- from:
25- source:
26remoteIpBlocks: [ "1.2.3.4", "5.6.0.0/16" ]
27notRemoteIpBlocks: [ "2.2.3.4", "6.6.0.0/16" ]
28- to:
29- operation:
30methods: ["method", "method-prefix-*", "*-suffix-method", "*"]
31notMethods: ["not-method", "not-method-prefix-*", "*-suffix-not-method", "*"]
32- to:
33- operation:
34hosts: ["exact.com", "*.suffix.com", "prefix.*", "*"]
35notHosts: ["not-exact.com", "*.not-suffix.com", "not-prefix.*", "*"]
36- to:
37- operation:
38ports: ["80", "90"]
39notPorts: ["800", "900"]
40- to:
41- operation:
42paths: ["/exact", "/prefix/*", "*/suffix", "*"]
43notPaths: ["/not-exact", "/not-prefix/*", "*/not-suffix", "*"]
44- when:
45- key: "request.headers[X-header]"
46values: ["header", "header-prefix-*", "*-suffix-header", "*"]
47notValues: ["not-header", "not-header-prefix-*", "*-not-suffix-header", "*"]
48- when:
49- key: "source.ip"
50values: ["10.10.10.10", "192.168.10.0/24"]
51notValues: ["90.10.10.10", "90.168.10.0/24"]
52- when:
53- key: "remote.ip"
54values: ["10.10.10.10", "192.168.10.0/24"]
55notValues: ["90.10.10.10", "90.168.10.0/24"]
56- when:
57- key: "source.namespace"
58values: ["ns", "ns-prefix-*", "*-ns-suffix", "*"]
59notValues: ["not-ns", "not-ns-prefix-*", "*-not-ns-suffix", "*"]
60- when:
61- key: "source.principal"
62values: ["principal", "principal-prefix-*", "*-suffix-principal", "*"]
63notValues: ["not-principal", "not-principal-prefix-*", "*-not-suffix-principal", "*"]
64- when:
65- key: "request.auth.principal"
66values: ["requestPrincipals", "requestPrincipals-prefix-*", "*-suffix-requestPrincipals", "*"]
67notValues: ["not-requestPrincipals", "not-requestPrincipals-prefix-*", "*-not-suffix-requestPrincipals", "*"]
68- when:
69- key: "request.auth.audiences"
70values: ["audiences", "audiences-prefix-*", "*-suffix-audiences", "*"]
71notValues: ["not-audiences", "not-audiences-prefix-*", "*-not-suffix-audiences", "*"]
72- when:
73- key: "request.auth.presenter"
74values: ["presenter", "presenter-prefix-*", "*-suffix-presenter", "*"]
75notValues: ["not-presenter", "not-presenter-prefix-*", "*-not-suffix-presenter", "*"]
76- when:
77- key: "request.auth.claims[iss]"
78values: ["iss", "iss-prefix-*", "*-suffix-iss", "*"]
79notValues: ["not-iss", "not-iss-prefix-*", "*-not-suffix-iss", "*"]
80- when:
81- key: "request.auth.claims[nested1][nested2]"
82values: ["nested", "nested-prefix-*", "*-suffix-nested", "*"]
83notValues: ["not-nested", "not-nested-prefix-*", "*-not-suffix-nested", "*"]
84- when:
85- key: "destination.ip"
86values: ["10.10.10.10", "192.168.10.0/24"]
87notValues: ["90.10.10.10", "90.168.10.0/24"]
88- when:
89- key: "destination.port"
90values: ["91", "92"]
91notValues: ["9001", "9002"]
92- when:
93- key: "connection.sni"
94values: ["exact.com", "*.suffix.com", "prefix.*", "*"]
95notValues: ["not-exact.com", "*.not-suffix.com", "not-prefix.*", "*"]
96- when:
97- key: "experimental.envoy.filters.a.b[c]"
98values: ["exact", "prefix-*", "*-suffix", "*"]
99notValues: ["not-exact", "not-prefix-*", "*-not-suffix", "*"]
100
101