istio
60 строк · 1.4 Кб
1apiVersion: security.istio.io/v1beta1
2kind: AuthorizationPolicy
3metadata:
4name: groups-deny
5spec:
6action: DENY
7rules:
8# Has mix of L4 and L7 in from
9- from:
10- source:
11principals: ["from-mix-principal"]
12requestPrincipals: ["from-mix-requestPrincipals"]
13namespaces: ["from-mix-ns"]
14to:
15- operation:
16ports: ["80"]
17# Has mix of L4 and L7 in to
18- from:
19- source:
20principals: ["to-mix-principal"]
21namespaces: ["to-mix-ns"]
22to:
23- operation:
24ports: ["80"]
25methods: ["to-mix-method"]
26# Only L4
27- from:
28- source:
29principals: ["only-l4-principals"]
30namespaces: ["only-l4-ns"]
31to:
32- operation:
33ports: ["80"]
34# Only L7
35- from:
36- source:
37requestPrincipals: ["l7-principal"]
38to:
39- operation:
40paths: ["/l7-foo"]
41methods: ["l7-method"]
42# L4 and L7 when
43- when:
44- key: "source.namespace"
45values: ["when-l4-l7-ns"]
46- key: "connection.sni"
47values: [ "when-l4-l7-sni"]
48# L4 only when
49- when:
50- key: "source.namespace"
51values: ["when-l4-ns"]
52- key: "source.ip"
53values: ["10.10.10.10"]
54notValues: ["20.20.20.20"]
55# L7 only when
56- when:
57- key: "connection.sni"
58values: [ "when-l7-sni"]
59- key: "request.headers[X-header]"
60values: ["when-l7-header"]
61