istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pilot/pkg/config/kube/gateway/testdata/isolation.yaml (about) 1 apiVersion: gateway.networking.k8s.io/v1 2 kind: Gateway 3 metadata: 4 name: isolation 5 namespace: gateway-conformance-infra 6 spec: 7 gatewayClassName: "istio" 8 listeners: 9 - name: empty-hostname 10 port: 80 11 protocol: HTTP 12 allowedRoutes: 13 namespaces: 14 from: All 15 - name: wildcard-example-com 16 port: 80 17 protocol: HTTP 18 hostname: "*.example.com" 19 allowedRoutes: 20 namespaces: 21 from: All 22 - name: wildcard-foo-example-com 23 port: 80 24 protocol: HTTP 25 hostname: "*.foo.example.com" 26 allowedRoutes: 27 namespaces: 28 from: All 29 - name: abc-foo-example-com 30 port: 80 31 protocol: HTTP 32 hostname: "abc.foo.example.com" 33 allowedRoutes: 34 namespaces: 35 from: All 36 --- 37 apiVersion: gateway.networking.k8s.io/v1 38 kind: HTTPRoute 39 metadata: 40 name: attaches-to-empty-hostname-with-hostname-intersection 41 namespace: gateway-conformance-infra 42 spec: 43 parentRefs: 44 - name: isolation 45 namespace: gateway-conformance-infra 46 sectionName: empty-hostname 47 hostnames: 48 - "bar.com" 49 - "*.example.com" # request matching is prevented by the isolation wildcard-example-com listener 50 - "*.foo.example.com" # request matching is prevented by the isolation wildcard-foo-example-com listener 51 - "abc.foo.example.com" # request matching is prevented by the isolation of abc-foo-example-com listener 52 rules: 53 - matches: 54 - path: 55 type: PathPrefix 56 value: /empty-hostname 57 backendRefs: 58 - name: infra-backend-v1 59 port: 8080 60 --- 61 apiVersion: gateway.networking.k8s.io/v1 62 kind: HTTPRoute 63 metadata: 64 name: attaches-to-wildcard-example-com-with-hostname-intersection 65 namespace: gateway-conformance-infra 66 spec: 67 parentRefs: 68 - name: isolation 69 namespace: gateway-conformance-infra 70 sectionName: wildcard-example-com 71 hostnames: 72 - "bar.com" # doesn't match wildcard-example-com listener 73 - "*.example.com" 74 - "*.foo.example.com" # request matching is prevented by the isolation of wildcard-foo-example-com listener 75 - "abc.foo.example.com" # request matching is prevented by the isolation of abc-foo-example-com listener 76 rules: 77 - matches: 78 - path: 79 type: PathPrefix 80 value: /wildcard-example-com 81 backendRefs: 82 - name: infra-backend-v1 83 port: 8080 84 --- 85 apiVersion: gateway.networking.k8s.io/v1 86 kind: HTTPRoute 87 metadata: 88 name: attaches-to-wildcard-foo-example-com-with-hostname-intersection 89 namespace: gateway-conformance-infra 90 spec: 91 parentRefs: 92 - name: isolation 93 namespace: gateway-conformance-infra 94 sectionName: wildcard-foo-example-com 95 hostnames: 96 - "bar.com" # doesn't match wildcard-foo-example-com listener 97 - "*.example.com" # this becomes *.foo.example.com, as the hostname cannot be less specific than *.foo.example.com of the listener 98 - "*.foo.example.com" 99 - "abc.foo.example.com" # request matching is prevented by the isolation abc-foo-example-com listener 100 rules: 101 - matches: 102 - path: 103 type: PathPrefix 104 value: /wildcard-foo-example-com 105 backendRefs: 106 - name: infra-backend-v1 107 port: 8080 108 --- 109 apiVersion: gateway.networking.k8s.io/v1 110 kind: HTTPRoute 111 metadata: 112 name: attaches-to-abc-foo-example-com-with-hostname-intersection 113 namespace: gateway-conformance-infra 114 spec: 115 parentRefs: 116 - name: isolation 117 namespace: gateway-conformance-infra 118 sectionName: abc-foo-example-com 119 hostnames: 120 - "bar.com" # doesn't match abc-foo-example-com listener 121 - "*.example.com" # becomes abc.foo.example.com as it cannot be less specific than abc.foo.example.com of the listener 122 - "*.foo.example.com" # becomes abc.foo.example.com as it cannot be less specific than abc.foo.example.com of the listener 123 - "abc.foo.example.com" 124 rules: 125 - matches: 126 - path: 127 type: PathPrefix 128 value: /abc-foo-example-com 129 backendRefs: 130 - name: infra-backend-v1 131 port: 8080