istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pilot/pkg/security/authz/builder/testdata/tcp/deny-both-http-tcp-out.yaml (about) 1 name: envoy.filters.network.rbac 2 typedConfig: 3 '@type': type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC 4 rules: 5 action: DENY 6 policies: 7 ns[foo]-policy[httpbin-deny]-rule[0]: 8 permissions: 9 - andRules: 10 rules: 11 - any: true 12 principals: 13 - andIds: 14 ids: 15 - any: true 16 ns[foo]-policy[httpbin-deny]-rule[1]: 17 permissions: 18 - andRules: 19 rules: 20 - any: true 21 principals: 22 - andIds: 23 ids: 24 - any: true 25 ns[foo]-policy[httpbin-deny]-rule[2]: 26 permissions: 27 - andRules: 28 rules: 29 - any: true 30 principals: 31 - andIds: 32 ids: 33 - any: true 34 ns[foo]-policy[httpbin-deny]-rule[3]: 35 permissions: 36 - andRules: 37 rules: 38 - any: true 39 principals: 40 - andIds: 41 ids: 42 - orIds: 43 ids: 44 - authenticated: 45 principalName: 46 safeRegex: 47 regex: .*/ns/ns-1/.* 48 ns[foo]-policy[httpbin-deny]-rule[4]: 49 permissions: 50 - andRules: 51 rules: 52 - orRules: 53 rules: 54 - destinationPort: 80 55 principals: 56 - andIds: 57 ids: 58 - any: true 59 ns[foo]-policy[httpbin-deny]-rule[5]: 60 permissions: 61 - andRules: 62 rules: 63 - orRules: 64 rules: 65 - destinationPort: 8080 66 principals: 67 - andIds: 68 ids: 69 - any: true 70 ns[foo]-policy[httpbin-deny]-rule[6]: 71 permissions: 72 - andRules: 73 rules: 74 - orRules: 75 rules: 76 - destinationPort: 8080 77 principals: 78 - andIds: 79 ids: 80 - orIds: 81 ids: 82 - authenticated: 83 principalName: 84 safeRegex: 85 regex: .*/ns/ns-2/.* 86 ns[foo]-policy[httpbin-deny]-rule[7]: 87 permissions: 88 - andRules: 89 rules: 90 - orRules: 91 rules: 92 - destinationPort: 80 93 principals: 94 - andIds: 95 ids: 96 - orIds: 97 ids: 98 - authenticated: 99 principalName: 100 safeRegex: 101 regex: .*/ns/ns-1/.* 102 ns[foo]-policy[httpbin-deny]-rule[8]: 103 permissions: 104 - andRules: 105 rules: 106 - any: true 107 principals: 108 - andIds: 109 ids: 110 - any: true 111 ns[foo]-policy[httpbin-deny]-rule[9]: 112 permissions: 113 - andRules: 114 rules: 115 - orRules: 116 rules: 117 - destinationPort: 80 118 principals: 119 - andIds: 120 ids: 121 - any: true 122 ns[foo]-policy[httpbin-deny]-rule[10]: 123 permissions: 124 - andRules: 125 rules: 126 - orRules: 127 rules: 128 - destinationPort: 80 129 - notRule: 130 orRules: 131 rules: 132 - destinationPort: 8000 133 - orRules: 134 rules: 135 - destinationIp: 136 addressPrefix: 10.10.10.10 137 prefixLen: 32 138 - notRule: 139 orRules: 140 rules: 141 - destinationIp: 142 addressPrefix: 90.10.10.10 143 prefixLen: 32 144 - orRules: 145 rules: 146 - destinationPort: 91 147 - notRule: 148 orRules: 149 rules: 150 - destinationPort: 9001 151 - orRules: 152 rules: 153 - requestedServerName: 154 exact: exact.com 155 - notRule: 156 orRules: 157 rules: 158 - requestedServerName: 159 exact: not-exact.com 160 - orRules: 161 rules: 162 - metadata: 163 filter: envoy.filters.a.b 164 path: 165 - key: c 166 value: 167 stringMatch: 168 exact: exact 169 - notRule: 170 orRules: 171 rules: 172 - metadata: 173 filter: envoy.filters.a.b 174 path: 175 - key: c 176 value: 177 stringMatch: 178 exact: not-exact 179 principals: 180 - andIds: 181 ids: 182 - orIds: 183 ids: 184 - authenticated: 185 principalName: 186 exact: spiffe://principal 187 - authenticated: 188 principalName: 189 safeRegex: 190 regex: spiffe://.*principal-suffix 191 - authenticated: 192 principalName: 193 prefix: spiffe://principal-prefix 194 - authenticated: 195 principalName: 196 safeRegex: 197 regex: .+ 198 - notId: 199 orIds: 200 ids: 201 - authenticated: 202 principalName: 203 exact: spiffe://not-principal 204 - authenticated: 205 principalName: 206 safeRegex: 207 regex: spiffe://.*not-principal-suffix 208 - authenticated: 209 principalName: 210 prefix: spiffe://not-principal-prefix 211 - authenticated: 212 principalName: 213 safeRegex: 214 regex: .+ 215 - orIds: 216 ids: 217 - authenticated: 218 principalName: 219 safeRegex: 220 regex: .*/ns/ns/.* 221 - authenticated: 222 principalName: 223 safeRegex: 224 regex: .*/ns/.*ns-suffix/.* 225 - authenticated: 226 principalName: 227 safeRegex: 228 regex: .*/ns/ns-prefix.*/.* 229 - authenticated: 230 principalName: 231 safeRegex: 232 regex: .*/ns/.*/.* 233 - notId: 234 orIds: 235 ids: 236 - authenticated: 237 principalName: 238 safeRegex: 239 regex: .*/ns/not-ns/.* 240 - authenticated: 241 principalName: 242 safeRegex: 243 regex: .*/ns/.*not-ns-suffix/.* 244 - authenticated: 245 principalName: 246 safeRegex: 247 regex: .*/ns/not-ns-prefix.*/.* 248 - authenticated: 249 principalName: 250 safeRegex: 251 regex: .*/ns/.*/.* 252 - orIds: 253 ids: 254 - remoteIp: 255 addressPrefix: 172.18.4.0 256 prefixLen: 22 257 - notId: 258 orIds: 259 ids: 260 - remoteIp: 261 addressPrefix: 192.168.244.139 262 prefixLen: 32 263 - orIds: 264 ids: 265 - directRemoteIp: 266 addressPrefix: 1.2.3.4 267 prefixLen: 32 268 - notId: 269 orIds: 270 ids: 271 - directRemoteIp: 272 addressPrefix: 9.0.0.1 273 prefixLen: 32 274 - orIds: 275 ids: 276 - directRemoteIp: 277 addressPrefix: 10.10.10.10 278 prefixLen: 32 279 - notId: 280 orIds: 281 ids: 282 - directRemoteIp: 283 addressPrefix: 90.10.10.10 284 prefixLen: 32 285 - orIds: 286 ids: 287 - remoteIp: 288 addressPrefix: 192.168.3.3 289 prefixLen: 32 290 - notId: 291 orIds: 292 ids: 293 - remoteIp: 294 addressPrefix: 172.19.31.3 295 prefixLen: 32 296 - orIds: 297 ids: 298 - authenticated: 299 principalName: 300 safeRegex: 301 regex: .*/ns/ns/.* 302 - authenticated: 303 principalName: 304 safeRegex: 305 regex: .*/ns/.*ns-suffix/.* 306 - authenticated: 307 principalName: 308 safeRegex: 309 regex: .*/ns/ns-prefix.*/.* 310 - authenticated: 311 principalName: 312 safeRegex: 313 regex: .*/ns/.*/.* 314 - notId: 315 orIds: 316 ids: 317 - authenticated: 318 principalName: 319 safeRegex: 320 regex: .*/ns/not-ns/.* 321 - authenticated: 322 principalName: 323 safeRegex: 324 regex: .*/ns/.*not-ns-suffix/.* 325 - authenticated: 326 principalName: 327 safeRegex: 328 regex: .*/ns/not-ns-prefix.*/.* 329 - authenticated: 330 principalName: 331 safeRegex: 332 regex: .*/ns/.*/.* 333 - orIds: 334 ids: 335 - authenticated: 336 principalName: 337 exact: spiffe://principal 338 - authenticated: 339 principalName: 340 safeRegex: 341 regex: spiffe://.*principal-suffix 342 - authenticated: 343 principalName: 344 prefix: spiffe://principal-prefix 345 - authenticated: 346 principalName: 347 safeRegex: 348 regex: .+ 349 - notId: 350 orIds: 351 ids: 352 - authenticated: 353 principalName: 354 exact: spiffe://not-principal 355 - authenticated: 356 principalName: 357 safeRegex: 358 regex: spiffe://.*not-principal-suffix 359 - authenticated: 360 principalName: 361 prefix: spiffe://not-principal-prefix 362 - authenticated: 363 principalName: 364 safeRegex: 365 regex: .+ 366 shadowRulesStatPrefix: istio_dry_run_allow_ 367 statPrefix: tcp.