istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pilot/pkg/security/authz/builder/testdata/http/extended-allow-full-rule-out.yaml (about) 1 name: envoy.filters.http.rbac 2 typedConfig: 3 '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC 4 rules: 5 policies: 6 ns[foo]-policy[httpbin-1]-rule[0]: 7 permissions: 8 - andRules: 9 rules: 10 - orRules: 11 rules: 12 - header: 13 name: :authority 14 stringMatch: 15 exact: exact.com 16 ignoreCase: true 17 - header: 18 name: :authority 19 stringMatch: 20 ignoreCase: true 21 suffix: .suffix.com 22 - header: 23 name: :authority 24 stringMatch: 25 ignoreCase: true 26 prefix: prefix. 27 - header: 28 name: :authority 29 presentMatch: true 30 - notRule: 31 orRules: 32 rules: 33 - header: 34 name: :authority 35 stringMatch: 36 exact: not-exact.com 37 ignoreCase: true 38 - header: 39 name: :authority 40 stringMatch: 41 ignoreCase: true 42 suffix: .not-suffix.com 43 - header: 44 name: :authority 45 stringMatch: 46 ignoreCase: true 47 prefix: not-prefix. 48 - header: 49 name: :authority 50 presentMatch: true 51 - orRules: 52 rules: 53 - header: 54 name: :method 55 stringMatch: 56 exact: method 57 - header: 58 name: :method 59 stringMatch: 60 prefix: method-prefix- 61 - header: 62 name: :method 63 stringMatch: 64 suffix: -suffix-method 65 - header: 66 name: :method 67 presentMatch: true 68 - notRule: 69 orRules: 70 rules: 71 - header: 72 name: :method 73 stringMatch: 74 exact: not-method 75 - header: 76 name: :method 77 stringMatch: 78 prefix: not-method-prefix- 79 - header: 80 name: :method 81 stringMatch: 82 suffix: -not-suffix-method 83 - header: 84 name: :method 85 presentMatch: true 86 - orRules: 87 rules: 88 - urlPath: 89 path: 90 exact: /exact 91 - urlPath: 92 path: 93 prefix: /prefix/ 94 - urlPath: 95 path: 96 suffix: /suffix 97 - urlPath: 98 path: 99 safeRegex: 100 regex: .+ 101 - uriTemplate: 102 name: uri-template 103 typedConfig: 104 '@type': type.googleapis.com/envoy.extensions.path.match.uri_template.v3.UriTemplateMatchConfig 105 pathTemplate: /path/template/* 106 - uriTemplate: 107 name: uri-template 108 typedConfig: 109 '@type': type.googleapis.com/envoy.extensions.path.match.uri_template.v3.UriTemplateMatchConfig 110 pathTemplate: /**/path/template 111 - notRule: 112 orRules: 113 rules: 114 - urlPath: 115 path: 116 exact: /not-exact 117 - urlPath: 118 path: 119 prefix: /not-prefix/ 120 - urlPath: 121 path: 122 suffix: /not-suffix 123 - urlPath: 124 path: 125 safeRegex: 126 regex: .+ 127 - uriTemplate: 128 name: uri-template 129 typedConfig: 130 '@type': type.googleapis.com/envoy.extensions.path.match.uri_template.v3.UriTemplateMatchConfig 131 pathTemplate: /not-path/template/* 132 - uriTemplate: 133 name: uri-template 134 typedConfig: 135 '@type': type.googleapis.com/envoy.extensions.path.match.uri_template.v3.UriTemplateMatchConfig 136 pathTemplate: /**/not-path/template 137 - orRules: 138 rules: 139 - destinationPort: 80 140 - destinationPort: 90 141 - notRule: 142 orRules: 143 rules: 144 - destinationPort: 8000 145 - destinationPort: 9000 146 - orRules: 147 rules: 148 - destinationIp: 149 addressPrefix: 10.10.10.10 150 prefixLen: 32 151 - destinationIp: 152 addressPrefix: 192.168.10.0 153 prefixLen: 24 154 - notRule: 155 orRules: 156 rules: 157 - destinationIp: 158 addressPrefix: 90.10.10.10 159 prefixLen: 32 160 - destinationIp: 161 addressPrefix: 90.168.10.0 162 prefixLen: 24 163 - orRules: 164 rules: 165 - destinationPort: 91 166 - destinationPort: 92 167 - notRule: 168 orRules: 169 rules: 170 - destinationPort: 9001 171 - destinationPort: 9002 172 - orRules: 173 rules: 174 - requestedServerName: 175 exact: exact.com 176 - requestedServerName: 177 suffix: .suffix.com 178 - requestedServerName: 179 prefix: prefix. 180 - requestedServerName: 181 safeRegex: 182 regex: .+ 183 - notRule: 184 orRules: 185 rules: 186 - requestedServerName: 187 exact: not-exact.com 188 - requestedServerName: 189 suffix: .not-suffix.com 190 - requestedServerName: 191 prefix: not-prefix. 192 - requestedServerName: 193 safeRegex: 194 regex: .+ 195 - metadata: 196 filter: envoy.filters.a.b 197 path: 198 - key: c 199 value: 200 orMatch: 201 valueMatchers: 202 - stringMatch: 203 exact: exact 204 - stringMatch: 205 prefix: prefix- 206 - stringMatch: 207 suffix: -suffix 208 - stringMatch: 209 safeRegex: 210 regex: .+ 211 - notRule: 212 metadata: 213 filter: envoy.filters.a.b 214 path: 215 - key: c 216 value: 217 orMatch: 218 valueMatchers: 219 - stringMatch: 220 exact: not-exact 221 - stringMatch: 222 prefix: not-prefix- 223 - stringMatch: 224 suffix: -not-suffix 225 - stringMatch: 226 safeRegex: 227 regex: .+ 228 principals: 229 - andIds: 230 ids: 231 - orIds: 232 ids: 233 - authenticated: 234 principalName: 235 exact: spiffe://principal 236 - authenticated: 237 principalName: 238 prefix: spiffe://principal-prefix- 239 - authenticated: 240 principalName: 241 safeRegex: 242 regex: spiffe://.*-suffix-principal 243 - authenticated: 244 principalName: 245 safeRegex: 246 regex: .+ 247 - notId: 248 orIds: 249 ids: 250 - authenticated: 251 principalName: 252 exact: spiffe://not-principal 253 - authenticated: 254 principalName: 255 prefix: spiffe://not-principal-prefix- 256 - authenticated: 257 principalName: 258 safeRegex: 259 regex: spiffe://.*-not-suffix-principal 260 - authenticated: 261 principalName: 262 safeRegex: 263 regex: .+ 264 - orIds: 265 ids: 266 - andIds: 267 ids: 268 - metadata: 269 filter: envoy.filters.http.jwt_authn 270 path: 271 - key: payload 272 - key: iss 273 value: 274 stringMatch: 275 exact: requestPrincipals 276 - metadata: 277 filter: envoy.filters.http.jwt_authn 278 path: 279 - key: payload 280 - key: sub 281 value: 282 stringMatch: 283 exact: "" 284 - andIds: 285 ids: 286 - metadata: 287 filter: envoy.filters.http.jwt_authn 288 path: 289 - key: payload 290 - key: iss 291 value: 292 stringMatch: 293 prefix: requestPrincipals-prefix- 294 - metadata: 295 filter: envoy.filters.http.jwt_authn 296 path: 297 - key: payload 298 - key: sub 299 value: 300 stringMatch: 301 safeRegex: 302 regex: .+ 303 - andIds: 304 ids: 305 - metadata: 306 filter: envoy.filters.http.jwt_authn 307 path: 308 - key: payload 309 - key: iss 310 value: 311 stringMatch: 312 safeRegex: 313 regex: .+ 314 - metadata: 315 filter: envoy.filters.http.jwt_authn 316 path: 317 - key: payload 318 - key: sub 319 value: 320 stringMatch: 321 suffix: -suffix-requestPrincipals 322 - andIds: 323 ids: 324 - metadata: 325 filter: envoy.filters.http.jwt_authn 326 path: 327 - key: payload 328 - key: iss 329 value: 330 stringMatch: 331 safeRegex: 332 regex: .+ 333 - metadata: 334 filter: envoy.filters.http.jwt_authn 335 path: 336 - key: payload 337 - key: sub 338 value: 339 stringMatch: 340 safeRegex: 341 regex: .+ 342 - notId: 343 orIds: 344 ids: 345 - andIds: 346 ids: 347 - metadata: 348 filter: envoy.filters.http.jwt_authn 349 path: 350 - key: payload 351 - key: iss 352 value: 353 stringMatch: 354 exact: not-requestPrincipals 355 - metadata: 356 filter: envoy.filters.http.jwt_authn 357 path: 358 - key: payload 359 - key: sub 360 value: 361 stringMatch: 362 exact: "" 363 - andIds: 364 ids: 365 - metadata: 366 filter: envoy.filters.http.jwt_authn 367 path: 368 - key: payload 369 - key: iss 370 value: 371 stringMatch: 372 prefix: not-requestPrincipals-prefix- 373 - metadata: 374 filter: envoy.filters.http.jwt_authn 375 path: 376 - key: payload 377 - key: sub 378 value: 379 stringMatch: 380 safeRegex: 381 regex: .+ 382 - andIds: 383 ids: 384 - metadata: 385 filter: envoy.filters.http.jwt_authn 386 path: 387 - key: payload 388 - key: iss 389 value: 390 stringMatch: 391 safeRegex: 392 regex: .+ 393 - metadata: 394 filter: envoy.filters.http.jwt_authn 395 path: 396 - key: payload 397 - key: sub 398 value: 399 stringMatch: 400 suffix: -not-suffix-requestPrincipals 401 - andIds: 402 ids: 403 - metadata: 404 filter: envoy.filters.http.jwt_authn 405 path: 406 - key: payload 407 - key: iss 408 value: 409 stringMatch: 410 safeRegex: 411 regex: .+ 412 - metadata: 413 filter: envoy.filters.http.jwt_authn 414 path: 415 - key: payload 416 - key: sub 417 value: 418 stringMatch: 419 safeRegex: 420 regex: .+ 421 - orIds: 422 ids: 423 - authenticated: 424 principalName: 425 safeRegex: 426 regex: .*/ns/ns/.* 427 - authenticated: 428 principalName: 429 safeRegex: 430 regex: .*/ns/ns-prefix-.*/.* 431 - authenticated: 432 principalName: 433 safeRegex: 434 regex: .*/ns/.*-ns-suffix/.* 435 - authenticated: 436 principalName: 437 safeRegex: 438 regex: .*/ns/.*/.* 439 - notId: 440 orIds: 441 ids: 442 - authenticated: 443 principalName: 444 safeRegex: 445 regex: .*/ns/not-ns/.* 446 - authenticated: 447 principalName: 448 safeRegex: 449 regex: .*/ns/not-ns-prefix-.*/.* 450 - authenticated: 451 principalName: 452 safeRegex: 453 regex: .*/ns/.*-not-ns-suffix/.* 454 - authenticated: 455 principalName: 456 safeRegex: 457 regex: .*/ns/.*/.* 458 - orIds: 459 ids: 460 - remoteIp: 461 addressPrefix: 1.2.3.4 462 prefixLen: 32 463 - remoteIp: 464 addressPrefix: 5.6.0.0 465 prefixLen: 16 466 - notId: 467 orIds: 468 ids: 469 - remoteIp: 470 addressPrefix: 9.0.0.1 471 prefixLen: 32 472 - remoteIp: 473 addressPrefix: 9.2.0.0 474 prefixLen: 16 475 - orIds: 476 ids: 477 - directRemoteIp: 478 addressPrefix: 1.2.3.4 479 prefixLen: 32 480 - directRemoteIp: 481 addressPrefix: 5.6.0.0 482 prefixLen: 16 483 - notId: 484 orIds: 485 ids: 486 - directRemoteIp: 487 addressPrefix: 9.0.0.1 488 prefixLen: 32 489 - directRemoteIp: 490 addressPrefix: 9.2.0.0 491 prefixLen: 16 492 - orIds: 493 ids: 494 - header: 495 name: X-header 496 stringMatch: 497 exact: header 498 - header: 499 name: X-header 500 stringMatch: 501 prefix: header-prefix- 502 - header: 503 name: X-header 504 stringMatch: 505 suffix: -suffix-header 506 - header: 507 name: X-header 508 presentMatch: true 509 - notId: 510 orIds: 511 ids: 512 - header: 513 name: X-header 514 stringMatch: 515 exact: not-header 516 - header: 517 name: X-header 518 stringMatch: 519 prefix: not-header-prefix- 520 - header: 521 name: X-header 522 stringMatch: 523 suffix: -not-suffix-header 524 - header: 525 name: X-header 526 presentMatch: true 527 - orIds: 528 ids: 529 - directRemoteIp: 530 addressPrefix: 10.10.10.10 531 prefixLen: 32 532 - directRemoteIp: 533 addressPrefix: 192.168.10.0 534 prefixLen: 24 535 - notId: 536 orIds: 537 ids: 538 - directRemoteIp: 539 addressPrefix: 90.10.10.10 540 prefixLen: 32 541 - directRemoteIp: 542 addressPrefix: 90.168.10.0 543 prefixLen: 24 544 - orIds: 545 ids: 546 - remoteIp: 547 addressPrefix: 10.10.10.10 548 prefixLen: 32 549 - remoteIp: 550 addressPrefix: 192.168.10.0 551 prefixLen: 24 552 - notId: 553 orIds: 554 ids: 555 - remoteIp: 556 addressPrefix: 90.10.10.10 557 prefixLen: 32 558 - remoteIp: 559 addressPrefix: 90.168.10.0 560 prefixLen: 24 561 - orIds: 562 ids: 563 - authenticated: 564 principalName: 565 safeRegex: 566 regex: .*/ns/ns/.* 567 - authenticated: 568 principalName: 569 safeRegex: 570 regex: .*/ns/ns-prefix-.*/.* 571 - authenticated: 572 principalName: 573 safeRegex: 574 regex: .*/ns/.*-ns-suffix/.* 575 - authenticated: 576 principalName: 577 safeRegex: 578 regex: .*/ns/.*/.* 579 - notId: 580 orIds: 581 ids: 582 - authenticated: 583 principalName: 584 safeRegex: 585 regex: .*/ns/not-ns/.* 586 - authenticated: 587 principalName: 588 safeRegex: 589 regex: .*/ns/not-ns-prefix-.*/.* 590 - authenticated: 591 principalName: 592 safeRegex: 593 regex: .*/ns/.*-not-ns-suffix/.* 594 - authenticated: 595 principalName: 596 safeRegex: 597 regex: .*/ns/.*/.* 598 - orIds: 599 ids: 600 - authenticated: 601 principalName: 602 exact: spiffe://principal 603 - authenticated: 604 principalName: 605 prefix: spiffe://principal-prefix- 606 - authenticated: 607 principalName: 608 safeRegex: 609 regex: spiffe://.*-suffix-principal 610 - authenticated: 611 principalName: 612 safeRegex: 613 regex: .+ 614 - notId: 615 orIds: 616 ids: 617 - authenticated: 618 principalName: 619 exact: spiffe://not-principal 620 - authenticated: 621 principalName: 622 prefix: spiffe://not-principal-prefix- 623 - authenticated: 624 principalName: 625 safeRegex: 626 regex: spiffe://.*-not-suffix-principal 627 - authenticated: 628 principalName: 629 safeRegex: 630 regex: .+ 631 - orIds: 632 ids: 633 - andIds: 634 ids: 635 - metadata: 636 filter: envoy.filters.http.jwt_authn 637 path: 638 - key: payload 639 - key: iss 640 value: 641 stringMatch: 642 exact: requestPrincipals 643 - metadata: 644 filter: envoy.filters.http.jwt_authn 645 path: 646 - key: payload 647 - key: sub 648 value: 649 stringMatch: 650 exact: "" 651 - andIds: 652 ids: 653 - metadata: 654 filter: envoy.filters.http.jwt_authn 655 path: 656 - key: payload 657 - key: iss 658 value: 659 stringMatch: 660 prefix: requestPrincipals-prefix- 661 - metadata: 662 filter: envoy.filters.http.jwt_authn 663 path: 664 - key: payload 665 - key: sub 666 value: 667 stringMatch: 668 safeRegex: 669 regex: .+ 670 - andIds: 671 ids: 672 - metadata: 673 filter: envoy.filters.http.jwt_authn 674 path: 675 - key: payload 676 - key: iss 677 value: 678 stringMatch: 679 safeRegex: 680 regex: .+ 681 - metadata: 682 filter: envoy.filters.http.jwt_authn 683 path: 684 - key: payload 685 - key: sub 686 value: 687 stringMatch: 688 suffix: -suffix-requestPrincipals 689 - andIds: 690 ids: 691 - metadata: 692 filter: envoy.filters.http.jwt_authn 693 path: 694 - key: payload 695 - key: iss 696 value: 697 stringMatch: 698 safeRegex: 699 regex: .+ 700 - metadata: 701 filter: envoy.filters.http.jwt_authn 702 path: 703 - key: payload 704 - key: sub 705 value: 706 stringMatch: 707 safeRegex: 708 regex: .+ 709 - andIds: 710 ids: 711 - metadata: 712 filter: envoy.filters.http.jwt_authn 713 path: 714 - key: payload 715 - key: iss 716 value: 717 stringMatch: 718 exact: https://example.com 719 - metadata: 720 filter: envoy.filters.http.jwt_authn 721 path: 722 - key: payload 723 - key: sub 724 value: 725 stringMatch: 726 safeRegex: 727 regex: .+ 728 - notId: 729 orIds: 730 ids: 731 - andIds: 732 ids: 733 - metadata: 734 filter: envoy.filters.http.jwt_authn 735 path: 736 - key: payload 737 - key: iss 738 value: 739 stringMatch: 740 exact: not-requestPrincipals 741 - metadata: 742 filter: envoy.filters.http.jwt_authn 743 path: 744 - key: payload 745 - key: sub 746 value: 747 stringMatch: 748 exact: "" 749 - andIds: 750 ids: 751 - metadata: 752 filter: envoy.filters.http.jwt_authn 753 path: 754 - key: payload 755 - key: iss 756 value: 757 stringMatch: 758 prefix: not-requestPrincipals-prefix- 759 - metadata: 760 filter: envoy.filters.http.jwt_authn 761 path: 762 - key: payload 763 - key: sub 764 value: 765 stringMatch: 766 safeRegex: 767 regex: .+ 768 - andIds: 769 ids: 770 - metadata: 771 filter: envoy.filters.http.jwt_authn 772 path: 773 - key: payload 774 - key: iss 775 value: 776 stringMatch: 777 safeRegex: 778 regex: .+ 779 - metadata: 780 filter: envoy.filters.http.jwt_authn 781 path: 782 - key: payload 783 - key: sub 784 value: 785 stringMatch: 786 suffix: -not-suffix-requestPrincipals 787 - andIds: 788 ids: 789 - metadata: 790 filter: envoy.filters.http.jwt_authn 791 path: 792 - key: payload 793 - key: iss 794 value: 795 stringMatch: 796 safeRegex: 797 regex: .+ 798 - metadata: 799 filter: envoy.filters.http.jwt_authn 800 path: 801 - key: payload 802 - key: sub 803 value: 804 stringMatch: 805 safeRegex: 806 regex: .+ 807 - metadata: 808 filter: envoy.filters.http.jwt_authn 809 path: 810 - key: payload 811 - key: aud 812 value: 813 orMatch: 814 valueMatchers: 815 - listMatch: 816 oneOf: 817 orMatch: 818 valueMatchers: 819 - stringMatch: 820 exact: audiences 821 - stringMatch: 822 prefix: audiences-prefix- 823 - stringMatch: 824 suffix: -suffix-audiences 825 - stringMatch: 826 safeRegex: 827 regex: .+ 828 - orMatch: 829 valueMatchers: 830 - stringMatch: 831 exact: audiences 832 - stringMatch: 833 prefix: audiences-prefix- 834 - stringMatch: 835 suffix: -suffix-audiences 836 - stringMatch: 837 safeRegex: 838 regex: .+ 839 - notId: 840 metadata: 841 filter: envoy.filters.http.jwt_authn 842 path: 843 - key: payload 844 - key: aud 845 value: 846 orMatch: 847 valueMatchers: 848 - listMatch: 849 oneOf: 850 orMatch: 851 valueMatchers: 852 - stringMatch: 853 exact: not-audiences 854 - stringMatch: 855 prefix: not-audiences-prefix- 856 - stringMatch: 857 suffix: -not-suffix-audiences 858 - stringMatch: 859 safeRegex: 860 regex: .+ 861 - orMatch: 862 valueMatchers: 863 - stringMatch: 864 exact: not-audiences 865 - stringMatch: 866 prefix: not-audiences-prefix- 867 - stringMatch: 868 suffix: -not-suffix-audiences 869 - stringMatch: 870 safeRegex: 871 regex: .+ 872 - metadata: 873 filter: envoy.filters.http.jwt_authn 874 path: 875 - key: payload 876 - key: azp 877 value: 878 orMatch: 879 valueMatchers: 880 - listMatch: 881 oneOf: 882 orMatch: 883 valueMatchers: 884 - stringMatch: 885 exact: presenter 886 - stringMatch: 887 prefix: presenter-prefix- 888 - stringMatch: 889 suffix: -suffix-presenter 890 - stringMatch: 891 safeRegex: 892 regex: .+ 893 - orMatch: 894 valueMatchers: 895 - stringMatch: 896 exact: presenter 897 - stringMatch: 898 prefix: presenter-prefix- 899 - stringMatch: 900 suffix: -suffix-presenter 901 - stringMatch: 902 safeRegex: 903 regex: .+ 904 - notId: 905 metadata: 906 filter: envoy.filters.http.jwt_authn 907 path: 908 - key: payload 909 - key: azp 910 value: 911 orMatch: 912 valueMatchers: 913 - listMatch: 914 oneOf: 915 orMatch: 916 valueMatchers: 917 - stringMatch: 918 exact: not-presenter 919 - stringMatch: 920 prefix: not-presenter-prefix- 921 - stringMatch: 922 suffix: -not-suffix-presenter 923 - stringMatch: 924 safeRegex: 925 regex: .+ 926 - orMatch: 927 valueMatchers: 928 - stringMatch: 929 exact: not-presenter 930 - stringMatch: 931 prefix: not-presenter-prefix- 932 - stringMatch: 933 suffix: -not-suffix-presenter 934 - stringMatch: 935 safeRegex: 936 regex: .+ 937 - metadata: 938 filter: envoy.filters.http.jwt_authn 939 path: 940 - key: payload 941 - key: iss 942 value: 943 orMatch: 944 valueMatchers: 945 - listMatch: 946 oneOf: 947 orMatch: 948 valueMatchers: 949 - stringMatch: 950 exact: iss 951 - stringMatch: 952 prefix: iss-prefix- 953 - stringMatch: 954 suffix: -suffix-iss 955 - stringMatch: 956 safeRegex: 957 regex: .+ 958 - orMatch: 959 valueMatchers: 960 - stringMatch: 961 exact: iss 962 - stringMatch: 963 prefix: iss-prefix- 964 - stringMatch: 965 suffix: -suffix-iss 966 - stringMatch: 967 safeRegex: 968 regex: .+ 969 - notId: 970 metadata: 971 filter: envoy.filters.http.jwt_authn 972 path: 973 - key: payload 974 - key: iss 975 value: 976 orMatch: 977 valueMatchers: 978 - listMatch: 979 oneOf: 980 orMatch: 981 valueMatchers: 982 - stringMatch: 983 exact: not-iss 984 - stringMatch: 985 prefix: not-iss-prefix- 986 - stringMatch: 987 suffix: -not-suffix-iss 988 - stringMatch: 989 safeRegex: 990 regex: .+ 991 - orMatch: 992 valueMatchers: 993 - stringMatch: 994 exact: not-iss 995 - stringMatch: 996 prefix: not-iss-prefix- 997 - stringMatch: 998 suffix: -not-suffix-iss 999 - stringMatch: 1000 safeRegex: 1001 regex: .+ 1002 - metadata: 1003 filter: envoy.filters.http.jwt_authn 1004 path: 1005 - key: payload 1006 - key: nested1 1007 - key: nested2 1008 value: 1009 orMatch: 1010 valueMatchers: 1011 - listMatch: 1012 oneOf: 1013 orMatch: 1014 valueMatchers: 1015 - stringMatch: 1016 exact: nested 1017 - stringMatch: 1018 prefix: nested-prefix- 1019 - stringMatch: 1020 suffix: -suffix-nested 1021 - stringMatch: 1022 safeRegex: 1023 regex: .+ 1024 - orMatch: 1025 valueMatchers: 1026 - stringMatch: 1027 exact: nested 1028 - stringMatch: 1029 prefix: nested-prefix- 1030 - stringMatch: 1031 suffix: -suffix-nested 1032 - stringMatch: 1033 safeRegex: 1034 regex: .+ 1035 - notId: 1036 metadata: 1037 filter: envoy.filters.http.jwt_authn 1038 path: 1039 - key: payload 1040 - key: nested1 1041 - key: nested2 1042 value: 1043 orMatch: 1044 valueMatchers: 1045 - listMatch: 1046 oneOf: 1047 orMatch: 1048 valueMatchers: 1049 - stringMatch: 1050 exact: not-nested 1051 - stringMatch: 1052 prefix: not-nested-prefix- 1053 - stringMatch: 1054 suffix: -not-suffix-nested 1055 - stringMatch: 1056 safeRegex: 1057 regex: .+ 1058 - orMatch: 1059 valueMatchers: 1060 - stringMatch: 1061 exact: not-nested 1062 - stringMatch: 1063 prefix: not-nested-prefix- 1064 - stringMatch: 1065 suffix: -not-suffix-nested 1066 - stringMatch: 1067 safeRegex: 1068 regex: .+ 1069 shadowRulesStatPrefix: istio_dry_run_allow_