istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pilot/pkg/security/authz/builder/testdata/http/extended-single-policy-out.yaml (about) 1 name: envoy.filters.http.rbac 2 typedConfig: 3 '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC 4 rules: 5 policies: 6 ns[foo]-policy[httpbin]-rule[0]: 7 permissions: 8 - andRules: 9 rules: 10 - orRules: 11 rules: 12 - header: 13 name: :authority 14 stringMatch: 15 exact: rule[0]-to[0]-host[1] 16 ignoreCase: true 17 - header: 18 name: :authority 19 stringMatch: 20 exact: rule[0]-to[0]-host[2] 21 ignoreCase: true 22 - orRules: 23 rules: 24 - header: 25 name: :method 26 stringMatch: 27 exact: rule[0]-to[0]-method[1] 28 - header: 29 name: :method 30 stringMatch: 31 exact: rule[0]-to[0]-method[2] 32 - orRules: 33 rules: 34 - urlPath: 35 path: 36 exact: rule[0]-to[0]-path[1] 37 - urlPath: 38 path: 39 exact: rule[0]-to[0]-path[2] 40 - orRules: 41 rules: 42 - destinationPort: 9001 43 - destinationPort: 9002 44 - orRules: 45 rules: 46 - destinationIp: 47 addressPrefix: 10.10.10.10 48 prefixLen: 32 49 - destinationIp: 50 addressPrefix: 192.168.10.0 51 prefixLen: 24 52 - andRules: 53 rules: 54 - orRules: 55 rules: 56 - header: 57 name: :authority 58 stringMatch: 59 exact: rule[0]-to[1]-host[1] 60 ignoreCase: true 61 - header: 62 name: :authority 63 stringMatch: 64 exact: rule[0]-to[1]-host[2] 65 ignoreCase: true 66 - orRules: 67 rules: 68 - header: 69 name: :method 70 stringMatch: 71 exact: rule[0]-to[1]-method[1] 72 - header: 73 name: :method 74 stringMatch: 75 exact: rule[0]-to[1]-method[2] 76 - orRules: 77 rules: 78 - urlPath: 79 path: 80 exact: rule[0]-to[1]-path[1] 81 - urlPath: 82 path: 83 exact: rule[0]-to[1]-path[2] 84 - orRules: 85 rules: 86 - destinationPort: 9011 87 - destinationPort: 9012 88 - orRules: 89 rules: 90 - destinationIp: 91 addressPrefix: 10.10.10.10 92 prefixLen: 32 93 - destinationIp: 94 addressPrefix: 192.168.10.0 95 prefixLen: 24 96 principals: 97 - andIds: 98 ids: 99 - orIds: 100 ids: 101 - authenticated: 102 principalName: 103 exact: spiffe://rule[0]-from[0]-principal[1] 104 - authenticated: 105 principalName: 106 exact: spiffe://rule[0]-from[0]-principal[2] 107 - orIds: 108 ids: 109 - andIds: 110 ids: 111 - metadata: 112 filter: envoy.filters.http.jwt_authn 113 path: 114 - key: payload 115 - key: iss 116 value: 117 stringMatch: 118 exact: rule[0]-from[0]-requestPrincipal[1] 119 - metadata: 120 filter: envoy.filters.http.jwt_authn 121 path: 122 - key: payload 123 - key: sub 124 value: 125 stringMatch: 126 exact: "" 127 - andIds: 128 ids: 129 - metadata: 130 filter: envoy.filters.http.jwt_authn 131 path: 132 - key: payload 133 - key: iss 134 value: 135 stringMatch: 136 exact: rule[0]-from[0]-requestPrincipal[2] 137 - metadata: 138 filter: envoy.filters.http.jwt_authn 139 path: 140 - key: payload 141 - key: sub 142 value: 143 stringMatch: 144 exact: "" 145 - orIds: 146 ids: 147 - authenticated: 148 principalName: 149 safeRegex: 150 regex: .*/ns/rule[0]-from[0]-ns[1]/.* 151 - authenticated: 152 principalName: 153 safeRegex: 154 regex: .*/ns/rule[0]-from[0]-ns[2]/.* 155 - orIds: 156 ids: 157 - remoteIp: 158 addressPrefix: 172.16.10.10 159 prefixLen: 32 160 - orIds: 161 ids: 162 - directRemoteIp: 163 addressPrefix: 10.0.0.1 164 prefixLen: 32 165 - directRemoteIp: 166 addressPrefix: 10.0.0.2 167 prefixLen: 32 168 - orIds: 169 ids: 170 - header: 171 name: X-header 172 stringMatch: 173 exact: header 174 - header: 175 name: X-header 176 stringMatch: 177 prefix: header-prefix- 178 - header: 179 name: X-header 180 stringMatch: 181 suffix: -suffix-header 182 - header: 183 name: X-header 184 presentMatch: true 185 - orIds: 186 ids: 187 - remoteIp: 188 addressPrefix: 10.99.10.8 189 prefixLen: 32 190 - remoteIp: 191 addressPrefix: 10.80.64.0 192 prefixLen: 18 193 - andIds: 194 ids: 195 - orIds: 196 ids: 197 - authenticated: 198 principalName: 199 exact: spiffe://rule[0]-from[1]-principal[1] 200 - authenticated: 201 principalName: 202 exact: spiffe://rule[0]-from[1]-principal[2] 203 - orIds: 204 ids: 205 - andIds: 206 ids: 207 - metadata: 208 filter: envoy.filters.http.jwt_authn 209 path: 210 - key: payload 211 - key: iss 212 value: 213 stringMatch: 214 exact: rule[0]-from[1]-requestPrincipal[1] 215 - metadata: 216 filter: envoy.filters.http.jwt_authn 217 path: 218 - key: payload 219 - key: sub 220 value: 221 stringMatch: 222 exact: "" 223 - andIds: 224 ids: 225 - metadata: 226 filter: envoy.filters.http.jwt_authn 227 path: 228 - key: payload 229 - key: iss 230 value: 231 stringMatch: 232 exact: rule[0]-from[1]-requestPrincipal[2] 233 - metadata: 234 filter: envoy.filters.http.jwt_authn 235 path: 236 - key: payload 237 - key: sub 238 value: 239 stringMatch: 240 exact: "" 241 - orIds: 242 ids: 243 - authenticated: 244 principalName: 245 safeRegex: 246 regex: .*/ns/rule[0]-from[1]-ns[1]/.* 247 - authenticated: 248 principalName: 249 safeRegex: 250 regex: .*/ns/rule[0]-from[1]-ns[2]/.* 251 - orIds: 252 ids: 253 - remoteIp: 254 addressPrefix: 172.17.8.0 255 prefixLen: 24 256 - remoteIp: 257 addressPrefix: 172.17.9.4 258 prefixLen: 32 259 - orIds: 260 ids: 261 - directRemoteIp: 262 addressPrefix: 10.0.1.1 263 prefixLen: 32 264 - directRemoteIp: 265 addressPrefix: 192.0.1.2 266 prefixLen: 32 267 - orIds: 268 ids: 269 - header: 270 name: X-header 271 stringMatch: 272 exact: header 273 - header: 274 name: X-header 275 stringMatch: 276 prefix: header-prefix- 277 - header: 278 name: X-header 279 stringMatch: 280 suffix: -suffix-header 281 - header: 282 name: X-header 283 presentMatch: true 284 - orIds: 285 ids: 286 - remoteIp: 287 addressPrefix: 10.99.10.8 288 prefixLen: 32 289 - remoteIp: 290 addressPrefix: 10.80.64.0 291 prefixLen: 18 292 ns[foo]-policy[httpbin]-rule[1]: 293 permissions: 294 - andRules: 295 rules: 296 - orRules: 297 rules: 298 - header: 299 name: :authority 300 stringMatch: 301 exact: rule[1]-to[0]-host[1] 302 ignoreCase: true 303 - header: 304 name: :authority 305 stringMatch: 306 exact: rule[1]-to[0]-host[2] 307 ignoreCase: true 308 - orRules: 309 rules: 310 - header: 311 name: :method 312 stringMatch: 313 exact: rule[1]-to[0]-method[1] 314 - header: 315 name: :method 316 stringMatch: 317 exact: rule[1]-to[0]-method[2] 318 - orRules: 319 rules: 320 - urlPath: 321 path: 322 exact: rule[1]-to[0]-path[1] 323 - urlPath: 324 path: 325 exact: rule[1]-to[0]-path[2] 326 - orRules: 327 rules: 328 - destinationPort: 9101 329 - destinationPort: 9102 330 - andRules: 331 rules: 332 - orRules: 333 rules: 334 - header: 335 name: :authority 336 stringMatch: 337 exact: rule[1]-to[1]-host[1] 338 ignoreCase: true 339 - header: 340 name: :authority 341 stringMatch: 342 exact: rule[1]-to[1]-host[2] 343 ignoreCase: true 344 - orRules: 345 rules: 346 - header: 347 name: :method 348 stringMatch: 349 exact: rule[1]-to[1]-method[1] 350 - header: 351 name: :method 352 stringMatch: 353 exact: rule[1]-to[1]-method[2] 354 - orRules: 355 rules: 356 - urlPath: 357 path: 358 exact: rule[1]-to[1]-path[1] 359 - urlPath: 360 path: 361 exact: rule[1]-to[1]-path[2] 362 - orRules: 363 rules: 364 - destinationPort: 9111 365 - destinationPort: 9112 366 principals: 367 - andIds: 368 ids: 369 - orIds: 370 ids: 371 - authenticated: 372 principalName: 373 exact: spiffe://rule[1]-from[0]-principal[1] 374 - authenticated: 375 principalName: 376 exact: spiffe://rule[1]-from[0]-principal[2] 377 - orIds: 378 ids: 379 - andIds: 380 ids: 381 - metadata: 382 filter: envoy.filters.http.jwt_authn 383 path: 384 - key: payload 385 - key: iss 386 value: 387 stringMatch: 388 exact: rule[1]-from[0]-requestPrincipal[1] 389 - metadata: 390 filter: envoy.filters.http.jwt_authn 391 path: 392 - key: payload 393 - key: sub 394 value: 395 stringMatch: 396 exact: "" 397 - andIds: 398 ids: 399 - metadata: 400 filter: envoy.filters.http.jwt_authn 401 path: 402 - key: payload 403 - key: iss 404 value: 405 stringMatch: 406 exact: rule[1]-from[0]-requestPrincipal[2] 407 - metadata: 408 filter: envoy.filters.http.jwt_authn 409 path: 410 - key: payload 411 - key: sub 412 value: 413 stringMatch: 414 exact: "" 415 - orIds: 416 ids: 417 - authenticated: 418 principalName: 419 safeRegex: 420 regex: .*/ns/rule[1]-from[0]-ns[1]/.* 421 - authenticated: 422 principalName: 423 safeRegex: 424 regex: .*/ns/rule[1]-from[0]-ns[2]/.* 425 - orIds: 426 ids: 427 - remoteIp: 428 addressPrefix: 172.22.2.0 429 prefixLen: 23 430 - remoteIp: 431 addressPrefix: 172.21.234.254 432 prefixLen: 32 433 - orIds: 434 ids: 435 - directRemoteIp: 436 addressPrefix: 10.1.0.1 437 prefixLen: 32 438 - directRemoteIp: 439 addressPrefix: 10.1.0.2 440 prefixLen: 32 441 - andIds: 442 ids: 443 - orIds: 444 ids: 445 - authenticated: 446 principalName: 447 exact: spiffe://rule[1]-from[1]-principal[1] 448 - authenticated: 449 principalName: 450 exact: spiffe://rule[1]-from[1]-principal[2] 451 - orIds: 452 ids: 453 - andIds: 454 ids: 455 - metadata: 456 filter: envoy.filters.http.jwt_authn 457 path: 458 - key: payload 459 - key: iss 460 value: 461 stringMatch: 462 exact: rule[1]-from[1]-requestPrincipal[1] 463 - metadata: 464 filter: envoy.filters.http.jwt_authn 465 path: 466 - key: payload 467 - key: sub 468 value: 469 stringMatch: 470 exact: "" 471 - andIds: 472 ids: 473 - metadata: 474 filter: envoy.filters.http.jwt_authn 475 path: 476 - key: payload 477 - key: iss 478 value: 479 stringMatch: 480 exact: rule[1]-from[1]-requestPrincipal[2] 481 - metadata: 482 filter: envoy.filters.http.jwt_authn 483 path: 484 - key: payload 485 - key: sub 486 value: 487 stringMatch: 488 exact: "" 489 - orIds: 490 ids: 491 - authenticated: 492 principalName: 493 safeRegex: 494 regex: .*/ns/rule[1]-from[1]-ns[1]/.* 495 - authenticated: 496 principalName: 497 safeRegex: 498 regex: .*/ns/rule[1]-from[1]-ns[2]/.* 499 - orIds: 500 ids: 501 - remoteIp: 502 addressPrefix: 192.168.4.0 503 prefixLen: 24 504 - remoteIp: 505 addressPrefix: 192.168.7.8 506 prefixLen: 32 507 - orIds: 508 ids: 509 - directRemoteIp: 510 addressPrefix: 10.1.1.1 511 prefixLen: 32 512 - directRemoteIp: 513 addressPrefix: 192.1.1.2 514 prefixLen: 32 515 shadowRulesStatPrefix: istio_dry_run_allow_