istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pilot/pkg/security/authz/builder/testdata/http/allow-full-rule-out.yaml (about) 1 name: envoy.filters.http.rbac 2 typedConfig: 3 '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC 4 rules: 5 policies: 6 ns[foo]-policy[httpbin-1]-rule[0]: 7 permissions: 8 - andRules: 9 rules: 10 - orRules: 11 rules: 12 - header: 13 name: :authority 14 stringMatch: 15 exact: exact.com 16 ignoreCase: true 17 - header: 18 name: :authority 19 stringMatch: 20 ignoreCase: true 21 suffix: .suffix.com 22 - header: 23 name: :authority 24 stringMatch: 25 ignoreCase: true 26 prefix: prefix. 27 - header: 28 name: :authority 29 presentMatch: true 30 - notRule: 31 orRules: 32 rules: 33 - header: 34 name: :authority 35 stringMatch: 36 exact: not-exact.com 37 ignoreCase: true 38 - header: 39 name: :authority 40 stringMatch: 41 ignoreCase: true 42 suffix: .not-suffix.com 43 - header: 44 name: :authority 45 stringMatch: 46 ignoreCase: true 47 prefix: not-prefix. 48 - header: 49 name: :authority 50 presentMatch: true 51 - orRules: 52 rules: 53 - header: 54 name: :method 55 stringMatch: 56 exact: method 57 - header: 58 name: :method 59 stringMatch: 60 prefix: method-prefix- 61 - header: 62 name: :method 63 stringMatch: 64 suffix: -suffix-method 65 - header: 66 name: :method 67 presentMatch: true 68 - notRule: 69 orRules: 70 rules: 71 - header: 72 name: :method 73 stringMatch: 74 exact: not-method 75 - header: 76 name: :method 77 stringMatch: 78 prefix: not-method-prefix- 79 - header: 80 name: :method 81 stringMatch: 82 suffix: -not-suffix-method 83 - header: 84 name: :method 85 presentMatch: true 86 - orRules: 87 rules: 88 - urlPath: 89 path: 90 exact: /exact 91 - urlPath: 92 path: 93 prefix: /prefix/ 94 - urlPath: 95 path: 96 suffix: /suffix 97 - urlPath: 98 path: 99 safeRegex: 100 regex: .+ 101 - uriTemplate: 102 name: uri-template 103 typedConfig: 104 '@type': type.googleapis.com/envoy.extensions.path.match.uri_template.v3.UriTemplateMatchConfig 105 pathTemplate: /path/template/* 106 - uriTemplate: 107 name: uri-template 108 typedConfig: 109 '@type': type.googleapis.com/envoy.extensions.path.match.uri_template.v3.UriTemplateMatchConfig 110 pathTemplate: /**/path/template 111 - notRule: 112 orRules: 113 rules: 114 - urlPath: 115 path: 116 exact: /not-exact 117 - urlPath: 118 path: 119 prefix: /not-prefix/ 120 - urlPath: 121 path: 122 suffix: /not-suffix 123 - urlPath: 124 path: 125 safeRegex: 126 regex: .+ 127 - uriTemplate: 128 name: uri-template 129 typedConfig: 130 '@type': type.googleapis.com/envoy.extensions.path.match.uri_template.v3.UriTemplateMatchConfig 131 pathTemplate: /not-path/template/* 132 - uriTemplate: 133 name: uri-template 134 typedConfig: 135 '@type': type.googleapis.com/envoy.extensions.path.match.uri_template.v3.UriTemplateMatchConfig 136 pathTemplate: /**/not-path/template 137 - orRules: 138 rules: 139 - destinationPort: 80 140 - destinationPort: 90 141 - notRule: 142 orRules: 143 rules: 144 - destinationPort: 8000 145 - destinationPort: 9000 146 - orRules: 147 rules: 148 - destinationIp: 149 addressPrefix: 10.10.10.10 150 prefixLen: 32 151 - destinationIp: 152 addressPrefix: 192.168.10.0 153 prefixLen: 24 154 - notRule: 155 orRules: 156 rules: 157 - destinationIp: 158 addressPrefix: 90.10.10.10 159 prefixLen: 32 160 - destinationIp: 161 addressPrefix: 90.168.10.0 162 prefixLen: 24 163 - orRules: 164 rules: 165 - destinationPort: 91 166 - destinationPort: 92 167 - notRule: 168 orRules: 169 rules: 170 - destinationPort: 9001 171 - destinationPort: 9002 172 - orRules: 173 rules: 174 - requestedServerName: 175 exact: exact.com 176 - requestedServerName: 177 suffix: .suffix.com 178 - requestedServerName: 179 prefix: prefix. 180 - requestedServerName: 181 safeRegex: 182 regex: .+ 183 - notRule: 184 orRules: 185 rules: 186 - requestedServerName: 187 exact: not-exact.com 188 - requestedServerName: 189 suffix: .not-suffix.com 190 - requestedServerName: 191 prefix: not-prefix. 192 - requestedServerName: 193 safeRegex: 194 regex: .+ 195 - orRules: 196 rules: 197 - metadata: 198 filter: envoy.filters.a.b 199 path: 200 - key: c 201 value: 202 stringMatch: 203 exact: exact 204 - metadata: 205 filter: envoy.filters.a.b 206 path: 207 - key: c 208 value: 209 stringMatch: 210 prefix: prefix- 211 - metadata: 212 filter: envoy.filters.a.b 213 path: 214 - key: c 215 value: 216 stringMatch: 217 suffix: -suffix 218 - metadata: 219 filter: envoy.filters.a.b 220 path: 221 - key: c 222 value: 223 stringMatch: 224 safeRegex: 225 regex: .+ 226 - notRule: 227 orRules: 228 rules: 229 - metadata: 230 filter: envoy.filters.a.b 231 path: 232 - key: c 233 value: 234 stringMatch: 235 exact: not-exact 236 - metadata: 237 filter: envoy.filters.a.b 238 path: 239 - key: c 240 value: 241 stringMatch: 242 prefix: not-prefix- 243 - metadata: 244 filter: envoy.filters.a.b 245 path: 246 - key: c 247 value: 248 stringMatch: 249 suffix: -not-suffix 250 - metadata: 251 filter: envoy.filters.a.b 252 path: 253 - key: c 254 value: 255 stringMatch: 256 safeRegex: 257 regex: .+ 258 principals: 259 - andIds: 260 ids: 261 - orIds: 262 ids: 263 - authenticated: 264 principalName: 265 exact: spiffe://principal 266 - authenticated: 267 principalName: 268 prefix: spiffe://principal-prefix- 269 - authenticated: 270 principalName: 271 safeRegex: 272 regex: spiffe://.*-suffix-principal 273 - authenticated: 274 principalName: 275 safeRegex: 276 regex: .+ 277 - notId: 278 orIds: 279 ids: 280 - authenticated: 281 principalName: 282 exact: spiffe://not-principal 283 - authenticated: 284 principalName: 285 prefix: spiffe://not-principal-prefix- 286 - authenticated: 287 principalName: 288 safeRegex: 289 regex: spiffe://.*-not-suffix-principal 290 - authenticated: 291 principalName: 292 safeRegex: 293 regex: .+ 294 - orIds: 295 ids: 296 - metadata: 297 filter: istio_authn 298 path: 299 - key: request.auth.principal 300 value: 301 stringMatch: 302 exact: requestPrincipals 303 - metadata: 304 filter: istio_authn 305 path: 306 - key: request.auth.principal 307 value: 308 stringMatch: 309 prefix: requestPrincipals-prefix- 310 - metadata: 311 filter: istio_authn 312 path: 313 - key: request.auth.principal 314 value: 315 stringMatch: 316 suffix: -suffix-requestPrincipals 317 - metadata: 318 filter: istio_authn 319 path: 320 - key: request.auth.principal 321 value: 322 stringMatch: 323 safeRegex: 324 regex: .+ 325 - notId: 326 orIds: 327 ids: 328 - metadata: 329 filter: istio_authn 330 path: 331 - key: request.auth.principal 332 value: 333 stringMatch: 334 exact: not-requestPrincipals 335 - metadata: 336 filter: istio_authn 337 path: 338 - key: request.auth.principal 339 value: 340 stringMatch: 341 prefix: not-requestPrincipals-prefix- 342 - metadata: 343 filter: istio_authn 344 path: 345 - key: request.auth.principal 346 value: 347 stringMatch: 348 suffix: -not-suffix-requestPrincipals 349 - metadata: 350 filter: istio_authn 351 path: 352 - key: request.auth.principal 353 value: 354 stringMatch: 355 safeRegex: 356 regex: .+ 357 - orIds: 358 ids: 359 - authenticated: 360 principalName: 361 safeRegex: 362 regex: .*/ns/ns/.* 363 - authenticated: 364 principalName: 365 safeRegex: 366 regex: .*/ns/ns-prefix-.*/.* 367 - authenticated: 368 principalName: 369 safeRegex: 370 regex: .*/ns/.*-ns-suffix/.* 371 - authenticated: 372 principalName: 373 safeRegex: 374 regex: .*/ns/.*/.* 375 - notId: 376 orIds: 377 ids: 378 - authenticated: 379 principalName: 380 safeRegex: 381 regex: .*/ns/not-ns/.* 382 - authenticated: 383 principalName: 384 safeRegex: 385 regex: .*/ns/not-ns-prefix-.*/.* 386 - authenticated: 387 principalName: 388 safeRegex: 389 regex: .*/ns/.*-not-ns-suffix/.* 390 - authenticated: 391 principalName: 392 safeRegex: 393 regex: .*/ns/.*/.* 394 - orIds: 395 ids: 396 - remoteIp: 397 addressPrefix: 1.2.3.4 398 prefixLen: 32 399 - remoteIp: 400 addressPrefix: 5.6.0.0 401 prefixLen: 16 402 - notId: 403 orIds: 404 ids: 405 - remoteIp: 406 addressPrefix: 9.0.0.1 407 prefixLen: 32 408 - remoteIp: 409 addressPrefix: 9.2.0.0 410 prefixLen: 16 411 - orIds: 412 ids: 413 - directRemoteIp: 414 addressPrefix: 1.2.3.4 415 prefixLen: 32 416 - directRemoteIp: 417 addressPrefix: 5.6.0.0 418 prefixLen: 16 419 - notId: 420 orIds: 421 ids: 422 - directRemoteIp: 423 addressPrefix: 9.0.0.1 424 prefixLen: 32 425 - directRemoteIp: 426 addressPrefix: 9.2.0.0 427 prefixLen: 16 428 - orIds: 429 ids: 430 - header: 431 name: X-header 432 stringMatch: 433 exact: header 434 - header: 435 name: X-header 436 stringMatch: 437 prefix: header-prefix- 438 - header: 439 name: X-header 440 stringMatch: 441 suffix: -suffix-header 442 - header: 443 name: X-header 444 presentMatch: true 445 - notId: 446 orIds: 447 ids: 448 - header: 449 name: X-header 450 stringMatch: 451 exact: not-header 452 - header: 453 name: X-header 454 stringMatch: 455 prefix: not-header-prefix- 456 - header: 457 name: X-header 458 stringMatch: 459 suffix: -not-suffix-header 460 - header: 461 name: X-header 462 presentMatch: true 463 - orIds: 464 ids: 465 - directRemoteIp: 466 addressPrefix: 10.10.10.10 467 prefixLen: 32 468 - directRemoteIp: 469 addressPrefix: 192.168.10.0 470 prefixLen: 24 471 - notId: 472 orIds: 473 ids: 474 - directRemoteIp: 475 addressPrefix: 90.10.10.10 476 prefixLen: 32 477 - directRemoteIp: 478 addressPrefix: 90.168.10.0 479 prefixLen: 24 480 - orIds: 481 ids: 482 - remoteIp: 483 addressPrefix: 10.10.10.10 484 prefixLen: 32 485 - remoteIp: 486 addressPrefix: 192.168.10.0 487 prefixLen: 24 488 - notId: 489 orIds: 490 ids: 491 - remoteIp: 492 addressPrefix: 90.10.10.10 493 prefixLen: 32 494 - remoteIp: 495 addressPrefix: 90.168.10.0 496 prefixLen: 24 497 - orIds: 498 ids: 499 - authenticated: 500 principalName: 501 safeRegex: 502 regex: .*/ns/ns/.* 503 - authenticated: 504 principalName: 505 safeRegex: 506 regex: .*/ns/ns-prefix-.*/.* 507 - authenticated: 508 principalName: 509 safeRegex: 510 regex: .*/ns/.*-ns-suffix/.* 511 - authenticated: 512 principalName: 513 safeRegex: 514 regex: .*/ns/.*/.* 515 - notId: 516 orIds: 517 ids: 518 - authenticated: 519 principalName: 520 safeRegex: 521 regex: .*/ns/not-ns/.* 522 - authenticated: 523 principalName: 524 safeRegex: 525 regex: .*/ns/not-ns-prefix-.*/.* 526 - authenticated: 527 principalName: 528 safeRegex: 529 regex: .*/ns/.*-not-ns-suffix/.* 530 - authenticated: 531 principalName: 532 safeRegex: 533 regex: .*/ns/.*/.* 534 - orIds: 535 ids: 536 - authenticated: 537 principalName: 538 exact: spiffe://principal 539 - authenticated: 540 principalName: 541 prefix: spiffe://principal-prefix- 542 - authenticated: 543 principalName: 544 safeRegex: 545 regex: spiffe://.*-suffix-principal 546 - authenticated: 547 principalName: 548 safeRegex: 549 regex: .+ 550 - notId: 551 orIds: 552 ids: 553 - authenticated: 554 principalName: 555 exact: spiffe://not-principal 556 - authenticated: 557 principalName: 558 prefix: spiffe://not-principal-prefix- 559 - authenticated: 560 principalName: 561 safeRegex: 562 regex: spiffe://.*-not-suffix-principal 563 - authenticated: 564 principalName: 565 safeRegex: 566 regex: .+ 567 - orIds: 568 ids: 569 - metadata: 570 filter: istio_authn 571 path: 572 - key: request.auth.principal 573 value: 574 stringMatch: 575 exact: requestPrincipals 576 - metadata: 577 filter: istio_authn 578 path: 579 - key: request.auth.principal 580 value: 581 stringMatch: 582 prefix: requestPrincipals-prefix- 583 - metadata: 584 filter: istio_authn 585 path: 586 - key: request.auth.principal 587 value: 588 stringMatch: 589 suffix: -suffix-requestPrincipals 590 - metadata: 591 filter: istio_authn 592 path: 593 - key: request.auth.principal 594 value: 595 stringMatch: 596 safeRegex: 597 regex: .+ 598 - metadata: 599 filter: istio_authn 600 path: 601 - key: request.auth.principal 602 value: 603 stringMatch: 604 prefix: https://example.com/ 605 - notId: 606 orIds: 607 ids: 608 - metadata: 609 filter: istio_authn 610 path: 611 - key: request.auth.principal 612 value: 613 stringMatch: 614 exact: not-requestPrincipals 615 - metadata: 616 filter: istio_authn 617 path: 618 - key: request.auth.principal 619 value: 620 stringMatch: 621 prefix: not-requestPrincipals-prefix- 622 - metadata: 623 filter: istio_authn 624 path: 625 - key: request.auth.principal 626 value: 627 stringMatch: 628 suffix: -not-suffix-requestPrincipals 629 - metadata: 630 filter: istio_authn 631 path: 632 - key: request.auth.principal 633 value: 634 stringMatch: 635 safeRegex: 636 regex: .+ 637 - orIds: 638 ids: 639 - metadata: 640 filter: istio_authn 641 path: 642 - key: request.auth.audiences 643 value: 644 stringMatch: 645 exact: audiences 646 - metadata: 647 filter: istio_authn 648 path: 649 - key: request.auth.audiences 650 value: 651 stringMatch: 652 prefix: audiences-prefix- 653 - metadata: 654 filter: istio_authn 655 path: 656 - key: request.auth.audiences 657 value: 658 stringMatch: 659 suffix: -suffix-audiences 660 - metadata: 661 filter: istio_authn 662 path: 663 - key: request.auth.audiences 664 value: 665 stringMatch: 666 safeRegex: 667 regex: .+ 668 - notId: 669 orIds: 670 ids: 671 - metadata: 672 filter: istio_authn 673 path: 674 - key: request.auth.audiences 675 value: 676 stringMatch: 677 exact: not-audiences 678 - metadata: 679 filter: istio_authn 680 path: 681 - key: request.auth.audiences 682 value: 683 stringMatch: 684 prefix: not-audiences-prefix- 685 - metadata: 686 filter: istio_authn 687 path: 688 - key: request.auth.audiences 689 value: 690 stringMatch: 691 suffix: -not-suffix-audiences 692 - metadata: 693 filter: istio_authn 694 path: 695 - key: request.auth.audiences 696 value: 697 stringMatch: 698 safeRegex: 699 regex: .+ 700 - orIds: 701 ids: 702 - metadata: 703 filter: istio_authn 704 path: 705 - key: request.auth.presenter 706 value: 707 stringMatch: 708 exact: presenter 709 - metadata: 710 filter: istio_authn 711 path: 712 - key: request.auth.presenter 713 value: 714 stringMatch: 715 prefix: presenter-prefix- 716 - metadata: 717 filter: istio_authn 718 path: 719 - key: request.auth.presenter 720 value: 721 stringMatch: 722 suffix: -suffix-presenter 723 - metadata: 724 filter: istio_authn 725 path: 726 - key: request.auth.presenter 727 value: 728 stringMatch: 729 safeRegex: 730 regex: .+ 731 - notId: 732 orIds: 733 ids: 734 - metadata: 735 filter: istio_authn 736 path: 737 - key: request.auth.presenter 738 value: 739 stringMatch: 740 exact: not-presenter 741 - metadata: 742 filter: istio_authn 743 path: 744 - key: request.auth.presenter 745 value: 746 stringMatch: 747 prefix: not-presenter-prefix- 748 - metadata: 749 filter: istio_authn 750 path: 751 - key: request.auth.presenter 752 value: 753 stringMatch: 754 suffix: -not-suffix-presenter 755 - metadata: 756 filter: istio_authn 757 path: 758 - key: request.auth.presenter 759 value: 760 stringMatch: 761 safeRegex: 762 regex: .+ 763 - orIds: 764 ids: 765 - metadata: 766 filter: istio_authn 767 path: 768 - key: request.auth.claims 769 - key: iss 770 value: 771 listMatch: 772 oneOf: 773 stringMatch: 774 exact: iss 775 - metadata: 776 filter: istio_authn 777 path: 778 - key: request.auth.claims 779 - key: iss 780 value: 781 listMatch: 782 oneOf: 783 stringMatch: 784 prefix: iss-prefix- 785 - metadata: 786 filter: istio_authn 787 path: 788 - key: request.auth.claims 789 - key: iss 790 value: 791 listMatch: 792 oneOf: 793 stringMatch: 794 suffix: -suffix-iss 795 - metadata: 796 filter: istio_authn 797 path: 798 - key: request.auth.claims 799 - key: iss 800 value: 801 listMatch: 802 oneOf: 803 stringMatch: 804 safeRegex: 805 regex: .+ 806 - notId: 807 orIds: 808 ids: 809 - metadata: 810 filter: istio_authn 811 path: 812 - key: request.auth.claims 813 - key: iss 814 value: 815 listMatch: 816 oneOf: 817 stringMatch: 818 exact: not-iss 819 - metadata: 820 filter: istio_authn 821 path: 822 - key: request.auth.claims 823 - key: iss 824 value: 825 listMatch: 826 oneOf: 827 stringMatch: 828 prefix: not-iss-prefix- 829 - metadata: 830 filter: istio_authn 831 path: 832 - key: request.auth.claims 833 - key: iss 834 value: 835 listMatch: 836 oneOf: 837 stringMatch: 838 suffix: -not-suffix-iss 839 - metadata: 840 filter: istio_authn 841 path: 842 - key: request.auth.claims 843 - key: iss 844 value: 845 listMatch: 846 oneOf: 847 stringMatch: 848 safeRegex: 849 regex: .+ 850 - orIds: 851 ids: 852 - metadata: 853 filter: istio_authn 854 path: 855 - key: request.auth.claims 856 - key: nested1 857 - key: nested2 858 value: 859 listMatch: 860 oneOf: 861 stringMatch: 862 exact: nested 863 - metadata: 864 filter: istio_authn 865 path: 866 - key: request.auth.claims 867 - key: nested1 868 - key: nested2 869 value: 870 listMatch: 871 oneOf: 872 stringMatch: 873 prefix: nested-prefix- 874 - metadata: 875 filter: istio_authn 876 path: 877 - key: request.auth.claims 878 - key: nested1 879 - key: nested2 880 value: 881 listMatch: 882 oneOf: 883 stringMatch: 884 suffix: -suffix-nested 885 - metadata: 886 filter: istio_authn 887 path: 888 - key: request.auth.claims 889 - key: nested1 890 - key: nested2 891 value: 892 listMatch: 893 oneOf: 894 stringMatch: 895 safeRegex: 896 regex: .+ 897 - notId: 898 orIds: 899 ids: 900 - metadata: 901 filter: istio_authn 902 path: 903 - key: request.auth.claims 904 - key: nested1 905 - key: nested2 906 value: 907 listMatch: 908 oneOf: 909 stringMatch: 910 exact: not-nested 911 - metadata: 912 filter: istio_authn 913 path: 914 - key: request.auth.claims 915 - key: nested1 916 - key: nested2 917 value: 918 listMatch: 919 oneOf: 920 stringMatch: 921 prefix: not-nested-prefix- 922 - metadata: 923 filter: istio_authn 924 path: 925 - key: request.auth.claims 926 - key: nested1 927 - key: nested2 928 value: 929 listMatch: 930 oneOf: 931 stringMatch: 932 suffix: -not-suffix-nested 933 - metadata: 934 filter: istio_authn 935 path: 936 - key: request.auth.claims 937 - key: nested1 938 - key: nested2 939 value: 940 listMatch: 941 oneOf: 942 stringMatch: 943 safeRegex: 944 regex: .+ 945 shadowRulesStatPrefix: istio_dry_run_allow_