istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pilot/pkg/security/authz/builder/testdata/http/single-policy-out.yaml (about) 1 name: envoy.filters.http.rbac 2 typedConfig: 3 '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC 4 rules: 5 policies: 6 ns[foo]-policy[httpbin]-rule[0]: 7 permissions: 8 - andRules: 9 rules: 10 - orRules: 11 rules: 12 - header: 13 name: :authority 14 stringMatch: 15 exact: rule[0]-to[0]-host[1] 16 ignoreCase: true 17 - header: 18 name: :authority 19 stringMatch: 20 exact: rule[0]-to[0]-host[2] 21 ignoreCase: true 22 - orRules: 23 rules: 24 - header: 25 name: :method 26 stringMatch: 27 exact: rule[0]-to[0]-method[1] 28 - header: 29 name: :method 30 stringMatch: 31 exact: rule[0]-to[0]-method[2] 32 - orRules: 33 rules: 34 - urlPath: 35 path: 36 exact: rule[0]-to[0]-path[1] 37 - urlPath: 38 path: 39 exact: rule[0]-to[0]-path[2] 40 - orRules: 41 rules: 42 - destinationPort: 9001 43 - destinationPort: 9002 44 - orRules: 45 rules: 46 - destinationIp: 47 addressPrefix: 10.10.10.10 48 prefixLen: 32 49 - destinationIp: 50 addressPrefix: 192.168.10.0 51 prefixLen: 24 52 - andRules: 53 rules: 54 - orRules: 55 rules: 56 - header: 57 name: :authority 58 stringMatch: 59 exact: rule[0]-to[1]-host[1] 60 ignoreCase: true 61 - header: 62 name: :authority 63 stringMatch: 64 exact: rule[0]-to[1]-host[2] 65 ignoreCase: true 66 - orRules: 67 rules: 68 - header: 69 name: :method 70 stringMatch: 71 exact: rule[0]-to[1]-method[1] 72 - header: 73 name: :method 74 stringMatch: 75 exact: rule[0]-to[1]-method[2] 76 - orRules: 77 rules: 78 - urlPath: 79 path: 80 exact: rule[0]-to[1]-path[1] 81 - urlPath: 82 path: 83 exact: rule[0]-to[1]-path[2] 84 - orRules: 85 rules: 86 - destinationPort: 9011 87 - destinationPort: 9012 88 - orRules: 89 rules: 90 - destinationIp: 91 addressPrefix: 10.10.10.10 92 prefixLen: 32 93 - destinationIp: 94 addressPrefix: 192.168.10.0 95 prefixLen: 24 96 principals: 97 - andIds: 98 ids: 99 - orIds: 100 ids: 101 - authenticated: 102 principalName: 103 exact: spiffe://rule[0]-from[0]-principal[1] 104 - authenticated: 105 principalName: 106 exact: spiffe://rule[0]-from[0]-principal[2] 107 - orIds: 108 ids: 109 - metadata: 110 filter: istio_authn 111 path: 112 - key: request.auth.principal 113 value: 114 stringMatch: 115 exact: rule[0]-from[0]-requestPrincipal[1] 116 - metadata: 117 filter: istio_authn 118 path: 119 - key: request.auth.principal 120 value: 121 stringMatch: 122 exact: rule[0]-from[0]-requestPrincipal[2] 123 - orIds: 124 ids: 125 - authenticated: 126 principalName: 127 safeRegex: 128 regex: .*/ns/rule[0]-from[0]-ns[1]/.* 129 - authenticated: 130 principalName: 131 safeRegex: 132 regex: .*/ns/rule[0]-from[0]-ns[2]/.* 133 - orIds: 134 ids: 135 - remoteIp: 136 addressPrefix: 172.16.10.10 137 prefixLen: 32 138 - orIds: 139 ids: 140 - directRemoteIp: 141 addressPrefix: 10.0.0.1 142 prefixLen: 32 143 - directRemoteIp: 144 addressPrefix: 10.0.0.2 145 prefixLen: 32 146 - orIds: 147 ids: 148 - header: 149 name: X-header 150 stringMatch: 151 exact: header 152 - header: 153 name: X-header 154 stringMatch: 155 prefix: header-prefix- 156 - header: 157 name: X-header 158 stringMatch: 159 suffix: -suffix-header 160 - header: 161 name: X-header 162 presentMatch: true 163 - orIds: 164 ids: 165 - remoteIp: 166 addressPrefix: 10.99.10.8 167 prefixLen: 32 168 - remoteIp: 169 addressPrefix: 10.80.64.0 170 prefixLen: 18 171 - andIds: 172 ids: 173 - orIds: 174 ids: 175 - authenticated: 176 principalName: 177 exact: spiffe://rule[0]-from[1]-principal[1] 178 - authenticated: 179 principalName: 180 exact: spiffe://rule[0]-from[1]-principal[2] 181 - orIds: 182 ids: 183 - metadata: 184 filter: istio_authn 185 path: 186 - key: request.auth.principal 187 value: 188 stringMatch: 189 exact: rule[0]-from[1]-requestPrincipal[1] 190 - metadata: 191 filter: istio_authn 192 path: 193 - key: request.auth.principal 194 value: 195 stringMatch: 196 exact: rule[0]-from[1]-requestPrincipal[2] 197 - orIds: 198 ids: 199 - authenticated: 200 principalName: 201 safeRegex: 202 regex: .*/ns/rule[0]-from[1]-ns[1]/.* 203 - authenticated: 204 principalName: 205 safeRegex: 206 regex: .*/ns/rule[0]-from[1]-ns[2]/.* 207 - orIds: 208 ids: 209 - remoteIp: 210 addressPrefix: 172.17.8.0 211 prefixLen: 24 212 - remoteIp: 213 addressPrefix: 172.17.9.4 214 prefixLen: 32 215 - orIds: 216 ids: 217 - directRemoteIp: 218 addressPrefix: 10.0.1.1 219 prefixLen: 32 220 - directRemoteIp: 221 addressPrefix: 192.0.1.2 222 prefixLen: 32 223 - orIds: 224 ids: 225 - header: 226 name: X-header 227 stringMatch: 228 exact: header 229 - header: 230 name: X-header 231 stringMatch: 232 prefix: header-prefix- 233 - header: 234 name: X-header 235 stringMatch: 236 suffix: -suffix-header 237 - header: 238 name: X-header 239 presentMatch: true 240 - orIds: 241 ids: 242 - remoteIp: 243 addressPrefix: 10.99.10.8 244 prefixLen: 32 245 - remoteIp: 246 addressPrefix: 10.80.64.0 247 prefixLen: 18 248 ns[foo]-policy[httpbin]-rule[1]: 249 permissions: 250 - andRules: 251 rules: 252 - orRules: 253 rules: 254 - header: 255 name: :authority 256 stringMatch: 257 exact: rule[1]-to[0]-host[1] 258 ignoreCase: true 259 - header: 260 name: :authority 261 stringMatch: 262 exact: rule[1]-to[0]-host[2] 263 ignoreCase: true 264 - orRules: 265 rules: 266 - header: 267 name: :method 268 stringMatch: 269 exact: rule[1]-to[0]-method[1] 270 - header: 271 name: :method 272 stringMatch: 273 exact: rule[1]-to[0]-method[2] 274 - orRules: 275 rules: 276 - urlPath: 277 path: 278 exact: rule[1]-to[0]-path[1] 279 - urlPath: 280 path: 281 exact: rule[1]-to[0]-path[2] 282 - orRules: 283 rules: 284 - destinationPort: 9101 285 - destinationPort: 9102 286 - andRules: 287 rules: 288 - orRules: 289 rules: 290 - header: 291 name: :authority 292 stringMatch: 293 exact: rule[1]-to[1]-host[1] 294 ignoreCase: true 295 - header: 296 name: :authority 297 stringMatch: 298 exact: rule[1]-to[1]-host[2] 299 ignoreCase: true 300 - orRules: 301 rules: 302 - header: 303 name: :method 304 stringMatch: 305 exact: rule[1]-to[1]-method[1] 306 - header: 307 name: :method 308 stringMatch: 309 exact: rule[1]-to[1]-method[2] 310 - orRules: 311 rules: 312 - urlPath: 313 path: 314 exact: rule[1]-to[1]-path[1] 315 - urlPath: 316 path: 317 exact: rule[1]-to[1]-path[2] 318 - orRules: 319 rules: 320 - destinationPort: 9111 321 - destinationPort: 9112 322 principals: 323 - andIds: 324 ids: 325 - orIds: 326 ids: 327 - authenticated: 328 principalName: 329 exact: spiffe://rule[1]-from[0]-principal[1] 330 - authenticated: 331 principalName: 332 exact: spiffe://rule[1]-from[0]-principal[2] 333 - orIds: 334 ids: 335 - metadata: 336 filter: istio_authn 337 path: 338 - key: request.auth.principal 339 value: 340 stringMatch: 341 exact: rule[1]-from[0]-requestPrincipal[1] 342 - metadata: 343 filter: istio_authn 344 path: 345 - key: request.auth.principal 346 value: 347 stringMatch: 348 exact: rule[1]-from[0]-requestPrincipal[2] 349 - orIds: 350 ids: 351 - authenticated: 352 principalName: 353 safeRegex: 354 regex: .*/ns/rule[1]-from[0]-ns[1]/.* 355 - authenticated: 356 principalName: 357 safeRegex: 358 regex: .*/ns/rule[1]-from[0]-ns[2]/.* 359 - orIds: 360 ids: 361 - remoteIp: 362 addressPrefix: 172.22.2.0 363 prefixLen: 23 364 - remoteIp: 365 addressPrefix: 172.21.234.254 366 prefixLen: 32 367 - orIds: 368 ids: 369 - directRemoteIp: 370 addressPrefix: 10.1.0.1 371 prefixLen: 32 372 - directRemoteIp: 373 addressPrefix: 10.1.0.2 374 prefixLen: 32 375 - andIds: 376 ids: 377 - orIds: 378 ids: 379 - authenticated: 380 principalName: 381 exact: spiffe://rule[1]-from[1]-principal[1] 382 - authenticated: 383 principalName: 384 exact: spiffe://rule[1]-from[1]-principal[2] 385 - orIds: 386 ids: 387 - metadata: 388 filter: istio_authn 389 path: 390 - key: request.auth.principal 391 value: 392 stringMatch: 393 exact: rule[1]-from[1]-requestPrincipal[1] 394 - metadata: 395 filter: istio_authn 396 path: 397 - key: request.auth.principal 398 value: 399 stringMatch: 400 exact: rule[1]-from[1]-requestPrincipal[2] 401 - orIds: 402 ids: 403 - authenticated: 404 principalName: 405 safeRegex: 406 regex: .*/ns/rule[1]-from[1]-ns[1]/.* 407 - authenticated: 408 principalName: 409 safeRegex: 410 regex: .*/ns/rule[1]-from[1]-ns[2]/.* 411 - orIds: 412 ids: 413 - remoteIp: 414 addressPrefix: 192.168.4.0 415 prefixLen: 24 416 - remoteIp: 417 addressPrefix: 192.168.7.8 418 prefixLen: 32 419 - orIds: 420 ids: 421 - directRemoteIp: 422 addressPrefix: 10.1.1.1 423 prefixLen: 32 424 - directRemoteIp: 425 addressPrefix: 192.1.1.2 426 prefixLen: 32 427 shadowRulesStatPrefix: istio_dry_run_allow_