istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pilot/pkg/security/authz/builder/testdata/tcp/deny-both-http-tcp-in.yaml (about) 1 apiVersion: security.istio.io/v1beta1 2 kind: AuthorizationPolicy 3 metadata: 4 name: httpbin-deny 5 namespace: foo 6 spec: 7 action: DENY 8 rules: 9 # rule[0] `from`: HTTP field, `to`: HTTP field. 10 - from: 11 - source: 12 requestPrincipals: ["id-1"] 13 to: 14 - operation: 15 methods: ["GET"] 16 # rule[1] `from`: nil, `to`: HTTP field. 17 - to: 18 - operation: 19 methods: ["GET"] 20 # rule[2] `from`: HTTP field, `to`: nil. 21 - from: 22 - source: 23 requestPrincipals: ["id-1"] 24 # rule[3] `from`: TCP field, `to`: HTTP field. 25 - from: 26 - source: 27 namespaces: ["ns-1"] 28 to: 29 - operation: 30 methods: ["GET"] 31 # rule[4] `from`: HTTP field, `to`: TCP field. 32 - from: 33 - source: 34 requestPrincipals: ["id-1"] 35 to: 36 - operation: 37 ports: ["80"] 38 # rule[5] `from`: HTTP field, `to`: HTTP + TCP field. 39 - from: 40 - source: 41 requestPrincipals: ["id-1"] 42 to: 43 - operation: 44 ports: ["8080"] 45 methods: ["GET"] 46 # rule[6] `from`: HTTP field, `to`: HTTP + TCP field. 47 - from: 48 - source: 49 namespaces: ["ns-2"] 50 requestPrincipals: ["id-1"] 51 to: 52 - operation: 53 ports: ["8080"] 54 methods: ["GET"] 55 # rule[7] `from`: TCP field, `to`: TCP field. 56 - from: 57 - source: 58 namespaces: ["ns-1"] 59 to: 60 - operation: 61 ports: ["80"] 62 # rule[8] `from`: nil, `to`: nil, `when`: HTTP field. 63 - when: 64 - key: "request.headers[:method]" 65 values: ["GET"] 66 # rule[9] `from`: nil, `to`: nil, `when`: TCP field. 67 - when: 68 - key: "destination.port" 69 values: ["80"] 70 # rule[10] `from`: all fields, `to`: all fields, `when`: all fields. 71 - from: 72 - source: 73 principals: ["principal", "*principal-suffix", "principal-prefix*", "*"] 74 requestPrincipals: ["requestPrincipals"] 75 namespaces: ["ns", "*ns-suffix", "ns-prefix*", "*"] 76 ipBlocks: ["1.2.3.4"] 77 remoteIpBlocks: ["172.18.4.0/22"] 78 notPrincipals: ["not-principal", "*not-principal-suffix", "not-principal-prefix*", "*"] 79 notRequestPrincipals: ["not-requestPrincipals"] 80 notNamespaces: ["not-ns", "*not-ns-suffix", "not-ns-prefix*", "*"] 81 notIpBlocks: ["9.0.0.1"] 82 notRemoteIpBlocks: ["192.168.244.139"] 83 to: 84 - operation: 85 methods: ["method"] 86 hosts: ["exact.com"] 87 ports: ["80"] 88 paths: ["/exact"] 89 notMethods: ["not-method"] 90 notHosts: ["not-exact.com"] 91 notPorts: ["8000"] 92 notPaths: ["/not-exact"] 93 when: 94 - key: "request.headers[X-header]" 95 values: ["header"] 96 notValues: ["not-header"] 97 - key: "source.ip" 98 values: ["10.10.10.10"] 99 notValues: ["90.10.10.10"] 100 - key: "remote.ip" 101 values: ["192.168.3.3"] 102 notValues: ["172.19.31.3"] 103 - key: "source.namespace" 104 values: ["ns", "*ns-suffix", "ns-prefix*", "*"] 105 notValues: ["not-ns", "*not-ns-suffix", "not-ns-prefix*", "*"] 106 - key: "source.principal" 107 values: ["principal", "*principal-suffix", "principal-prefix*", "*"] 108 notValues: ["not-principal", "*not-principal-suffix", "not-principal-prefix*", "*"] 109 - key: "request.auth.principal" 110 values: ["requestPrincipals"] 111 notValues: ["not-requestPrincipals"] 112 - key: "request.auth.audiences" 113 values: ["audiences"] 114 notValues: ["not-audiences"] 115 - key: "request.auth.presenter" 116 values: ["presenter"] 117 notValues: ["not-presenter"] 118 - key: "request.auth.claims[iss]" 119 values: ["iss"] 120 notValues: ["not-iss"] 121 - key: "destination.ip" 122 values: ["10.10.10.10"] 123 notValues: ["90.10.10.10"] 124 - key: "destination.port" 125 values: ["91"] 126 notValues: ["9001"] 127 - key: "connection.sni" 128 values: ["exact.com"] 129 notValues: ["not-exact.com"] 130 - key: "experimental.envoy.filters.a.b[c]" 131 values: ["exact"] 132 notValues: ["not-exact"]