istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pilot/pkg/security/authz/builder/testdata/http/allow-full-rule-in.yaml (about) 1 apiVersion: security.istio.io/v1beta1 2 kind: AuthorizationPolicy 3 metadata: 4 name: httpbin-1 5 namespace: foo 6 spec: 7 selector: 8 matchLabels: 9 app: httpbin 10 version: v1 11 rules: 12 - from: 13 - source: 14 principals: ["principal", "principal-prefix-*", "*-suffix-principal", "*"] 15 requestPrincipals: ["requestPrincipals", "requestPrincipals-prefix-*", "*-suffix-requestPrincipals", "*"] 16 namespaces: ["ns", "ns-prefix-*", "*-ns-suffix", "*"] 17 ipBlocks: ["1.2.3.4", "5.6.0.0/16"] 18 remoteIpBlocks: ["1.2.3.4", "5.6.0.0/16"] 19 notPrincipals: ["not-principal", "not-principal-prefix-*", "*-not-suffix-principal", "*"] 20 notRequestPrincipals: ["not-requestPrincipals", "not-requestPrincipals-prefix-*", "*-not-suffix-requestPrincipals", "*"] 21 notNamespaces: ["not-ns", "not-ns-prefix-*", "*-not-ns-suffix", "*"] 22 notIpBlocks: ["9.0.0.1", "9.2.0.0/16"] 23 notRemoteIpBlocks: ["9.0.0.1", "9.2.0.0/16"] 24 to: 25 - operation: 26 methods: ["method", "method-prefix-*", "*-suffix-method", "*"] 27 hosts: ["exact.com", "*.suffix.com", "prefix.*", "*"] 28 ports: ["80", "90"] 29 paths: ["/exact", "/prefix/*", "*/suffix", "*", "/path/template/{*}", "/{**}/path/template"] 30 notMethods: ["not-method", "not-method-prefix-*", "*-not-suffix-method", "*"] 31 notHosts: ["not-exact.com", "*.not-suffix.com", "not-prefix.*", "*"] 32 notPorts: ["8000", "9000"] 33 notPaths: ["/not-exact", "/not-prefix/*", "*/not-suffix", "*", "/not-path/template/{*}", "/{**}/not-path/template"] 34 when: 35 - key: "request.headers[X-header]" 36 values: ["header", "header-prefix-*", "*-suffix-header", "*"] 37 notValues: ["not-header", "not-header-prefix-*", "*-not-suffix-header", "*"] 38 - key: "source.ip" 39 values: ["10.10.10.10", "192.168.10.0/24"] 40 notValues: ["90.10.10.10", "90.168.10.0/24"] 41 - key: "remote.ip" 42 values: ["10.10.10.10", "192.168.10.0/24"] 43 notValues: ["90.10.10.10", "90.168.10.0/24"] 44 - key: "source.namespace" 45 values: ["ns", "ns-prefix-*", "*-ns-suffix", "*"] 46 notValues: ["not-ns", "not-ns-prefix-*", "*-not-ns-suffix", "*"] 47 - key: "source.principal" 48 values: ["principal", "principal-prefix-*", "*-suffix-principal", "*"] 49 notValues: ["not-principal", "not-principal-prefix-*", "*-not-suffix-principal", "*"] 50 - key: "request.auth.principal" 51 values: ["requestPrincipals", "requestPrincipals-prefix-*", "*-suffix-requestPrincipals", "*", "https://example.com/*"] 52 notValues: ["not-requestPrincipals", "not-requestPrincipals-prefix-*", "*-not-suffix-requestPrincipals", "*"] 53 - key: "request.auth.audiences" 54 values: ["audiences", "audiences-prefix-*", "*-suffix-audiences", "*"] 55 notValues: ["not-audiences", "not-audiences-prefix-*", "*-not-suffix-audiences", "*"] 56 - key: "request.auth.presenter" 57 values: ["presenter", "presenter-prefix-*", "*-suffix-presenter", "*"] 58 notValues: ["not-presenter", "not-presenter-prefix-*", "*-not-suffix-presenter", "*"] 59 - key: "request.auth.claims[iss]" 60 values: ["iss", "iss-prefix-*", "*-suffix-iss", "*"] 61 notValues: ["not-iss", "not-iss-prefix-*", "*-not-suffix-iss", "*"] 62 - key: "request.auth.claims[nested1][nested2]" 63 values: ["nested", "nested-prefix-*", "*-suffix-nested", "*"] 64 notValues: ["not-nested", "not-nested-prefix-*", "*-not-suffix-nested", "*"] 65 - key: "destination.ip" 66 values: ["10.10.10.10", "192.168.10.0/24"] 67 notValues: ["90.10.10.10", "90.168.10.0/24"] 68 - key: "destination.port" 69 values: ["91", "92"] 70 notValues: ["9001", "9002"] 71 - key: "connection.sni" 72 values: ["exact.com", "*.suffix.com", "prefix.*", "*"] 73 notValues: ["not-exact.com", "*.not-suffix.com", "not-prefix.*", "*"] 74 - key: "experimental.envoy.filters.a.b[c]" 75 values: ["exact", "prefix-*", "*-suffix", "*"] 76 notValues: ["not-exact", "not-prefix-*", "*-not-suffix", "*"]