istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pilot/pkg/serviceregistry/kube/controller/ambient/testdata/allow-full-in.yaml (about) 1 apiVersion: security.istio.io/v1beta1 2 kind: AuthorizationPolicy 3 metadata: 4 name: allow 5 spec: 6 action: ALLOW 7 rules: 8 - from: 9 - source: 10 principals: [ "principal", "principal-prefix-*", "*-suffix-principal", "*" ] 11 notPrincipals: [ "not-principal", "not-principal-prefix-*", "*-suffix-not-principal", "*" ] 12 - from: 13 - source: 14 requestPrincipals: [ "requestPrincipals", "requestPrincipals-prefix-*", "*-suffix-requestPrincipals", "*" ] 15 notRequestPrincipals: [ "not-requestPrincipals", "not-requestPrincipals-prefix-*", "*-suffix-not-requestPrincipals", "*" ] 16 - from: 17 - source: 18 namespaces: [ "ns", "ns-prefix-*", "*-ns-suffix", "*" ] 19 notNamespaces: [ "not-ns", "not-ns-prefix-*", "*-not-ns-suffix", "*" ] 20 - from: 21 - source: 22 ipBlocks: [ "1.2.3.4", "5.6.0.0/16" ] 23 notIpBlocks: [ "2.2.3.4", "6.6.0.0/16" ] 24 - from: 25 - source: 26 remoteIpBlocks: [ "1.2.3.4", "5.6.0.0/16" ] 27 notRemoteIpBlocks: [ "2.2.3.4", "6.6.0.0/16" ] 28 - to: 29 - operation: 30 methods: ["method", "method-prefix-*", "*-suffix-method", "*"] 31 notMethods: ["not-method", "not-method-prefix-*", "*-suffix-not-method", "*"] 32 - to: 33 - operation: 34 hosts: ["exact.com", "*.suffix.com", "prefix.*", "*"] 35 notHosts: ["not-exact.com", "*.not-suffix.com", "not-prefix.*", "*"] 36 - to: 37 - operation: 38 ports: ["80", "90"] 39 notPorts: ["800", "900"] 40 - to: 41 - operation: 42 paths: ["/exact", "/prefix/*", "*/suffix", "*"] 43 notPaths: ["/not-exact", "/not-prefix/*", "*/not-suffix", "*"] 44 - when: 45 - key: "request.headers[X-header]" 46 values: ["header", "header-prefix-*", "*-suffix-header", "*"] 47 notValues: ["not-header", "not-header-prefix-*", "*-not-suffix-header", "*"] 48 - when: 49 - key: "source.ip" 50 values: ["10.10.10.10", "192.168.10.0/24"] 51 notValues: ["90.10.10.10", "90.168.10.0/24"] 52 - when: 53 - key: "remote.ip" 54 values: ["10.10.10.10", "192.168.10.0/24"] 55 notValues: ["90.10.10.10", "90.168.10.0/24"] 56 - when: 57 - key: "source.namespace" 58 values: ["ns", "ns-prefix-*", "*-ns-suffix", "*"] 59 notValues: ["not-ns", "not-ns-prefix-*", "*-not-ns-suffix", "*"] 60 - when: 61 - key: "source.principal" 62 values: ["principal", "principal-prefix-*", "*-suffix-principal", "*"] 63 notValues: ["not-principal", "not-principal-prefix-*", "*-not-suffix-principal", "*"] 64 - when: 65 - key: "request.auth.principal" 66 values: ["requestPrincipals", "requestPrincipals-prefix-*", "*-suffix-requestPrincipals", "*"] 67 notValues: ["not-requestPrincipals", "not-requestPrincipals-prefix-*", "*-not-suffix-requestPrincipals", "*"] 68 - when: 69 - key: "request.auth.audiences" 70 values: ["audiences", "audiences-prefix-*", "*-suffix-audiences", "*"] 71 notValues: ["not-audiences", "not-audiences-prefix-*", "*-not-suffix-audiences", "*"] 72 - when: 73 - key: "request.auth.presenter" 74 values: ["presenter", "presenter-prefix-*", "*-suffix-presenter", "*"] 75 notValues: ["not-presenter", "not-presenter-prefix-*", "*-not-suffix-presenter", "*"] 76 - when: 77 - key: "request.auth.claims[iss]" 78 values: ["iss", "iss-prefix-*", "*-suffix-iss", "*"] 79 notValues: ["not-iss", "not-iss-prefix-*", "*-not-suffix-iss", "*"] 80 - when: 81 - key: "request.auth.claims[nested1][nested2]" 82 values: ["nested", "nested-prefix-*", "*-suffix-nested", "*"] 83 notValues: ["not-nested", "not-nested-prefix-*", "*-not-suffix-nested", "*"] 84 - when: 85 - key: "destination.ip" 86 values: ["10.10.10.10", "192.168.10.0/24"] 87 notValues: ["90.10.10.10", "90.168.10.0/24"] 88 - when: 89 - key: "destination.port" 90 values: ["91", "92"] 91 notValues: ["9001", "9002"] 92 - when: 93 - key: "connection.sni" 94 values: ["exact.com", "*.suffix.com", "prefix.*", "*"] 95 notValues: ["not-exact.com", "*.not-suffix.com", "not-prefix.*", "*"] 96 - when: 97 - key: "experimental.envoy.filters.a.b[c]" 98 values: ["exact", "prefix-*", "*-suffix", "*"] 99 notValues: ["not-exact", "not-prefix-*", "*-not-suffix", "*"] 100