istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pkg/config/analysis/analyzers/testdata/authorizationpolicies.yaml (about) 1 apiVersion: v1 2 kind: Namespace 3 metadata: 4 name: httpbin 5 labels: 6 istio-injection: "enabled" 7 spec: {} 8 --- 9 apiVersion: v1 10 kind: Service 11 metadata: 12 name: httpbin 13 namespace: httpbin 14 labels: 15 app: httpbin 16 spec: 17 ports: 18 - name: http 19 port: 8000 20 targetPort: 80 21 selector: 22 app: httpbin 23 --- 24 apiVersion: apps/v1 25 kind: Deployment 26 metadata: 27 name: httpbin 28 namespace: httpbin 29 spec: 30 replicas: 1 31 selector: 32 matchLabels: 33 app: httpbin 34 version: v1 35 template: 36 metadata: 37 labels: 38 app: httpbin 39 version: v1 40 spec: 41 containers: 42 - image: docker.io/kennethreitz/httpbin 43 imagePullPolicy: IfNotPresent 44 name: httpbin 45 ports: 46 - containerPort: 80 47 --- 48 apiVersion: networking.istio.io/v1alpha3 49 kind: ServiceEntry 50 metadata: 51 name: istio 52 namespace: httpbin 53 spec: 54 hosts: 55 - subsystem.istio.io 56 - "*.kiali.io" 57 location: MESH_EXTERNAL 58 ports: 59 - number: 80 60 name: http 61 protocol: HTTP 62 resolution: DNS 63 --- 64 apiVersion: security.istio.io/v1beta1 65 kind: AuthorizationPolicy 66 metadata: 67 name: httpbin # This is a correct scenario 68 namespace: httpbin 69 spec: 70 selector: # There are workloads matching this selector 71 matchLabels: 72 app: httpbin 73 version: v1 74 rules: 75 - from: 76 - source: 77 principals: ["cluster.local/ns/default/sa/sleep"] 78 - source: 79 namespaces: ["httpbin"] # Namespace exists 80 to: 81 - operation: 82 methods: ["GET"] 83 paths: ["/info*"] 84 - operation: 85 methods: ["POST"] 86 paths: ["/data"] 87 when: 88 - key: request.auth.claims[iss] 89 values: ["https://accounts.google.com"] 90 --- 91 apiVersion: security.istio.io/v1beta1 92 kind: AuthorizationPolicy 93 metadata: 94 name: meshwide-httpbin 95 namespace: istio-system # valid: it applies to whole mesh 96 spec: 97 {} 98 --- 99 apiVersion: security.istio.io/v1beta1 100 kind: AuthorizationPolicy 101 metadata: 102 name: meshwide-httpbin-v1 103 namespace: istio-system # invalid: no pods running anywhere in the mesh 104 spec: 105 selector: 106 matchLabels: 107 version: bogus-version 108 --- 109 apiVersion: security.istio.io/v1beta1 110 kind: AuthorizationPolicy 111 metadata: 112 name: httpbin-empty-namespace-wide # Invalid, no pods running 113 namespace: httpbin-empty 114 spec: 115 rules: 116 - from: 117 - source: 118 principals: ["cluster.local/ns/default/sa/sleep"] 119 - source: 120 namespaces: ["httpbin"] 121 to: 122 - operation: 123 methods: ["GET"] 124 paths: ["/info*"] 125 - operation: 126 methods: ["POST"] 127 paths: ["/data"] 128 when: 129 - key: request.auth.claims[iss] 130 values: ["https://accounts.google.com"] 131 --- 132 apiVersion: security.istio.io/v1beta1 133 kind: AuthorizationPolicy 134 metadata: 135 name: httpbin-namespace-wide # valid, one pod running 136 namespace: httpbin 137 spec: 138 rules: 139 - from: 140 - source: 141 principals: ["cluster.local/ns/default/sa/sleep"] 142 - source: 143 namespaces: ["httpbin"] 144 to: 145 - operation: 146 methods: ["GET"] 147 paths: ["/info*"] 148 - operation: 149 methods: ["POST"] 150 paths: ["/data"] 151 when: 152 - key: request.auth.claims[iss] 153 values: ["https://accounts.google.com"] 154 --- 155 apiVersion: security.istio.io/v1beta1 156 kind: AuthorizationPolicy 157 metadata: 158 name: httpbin-nopods # Invalid: there aren't matching workloads for this selector 159 namespace: httpbin 160 spec: 161 selector: 162 matchLabels: 163 app: bogus-label # Bogus label. No matching workloads 164 version: v1 165 rules: 166 - from: 167 - source: 168 principals: ["cluster.local/ns/default/sa/sleep"] 169 - source: 170 namespaces: ["httpbin"] 171 to: 172 - operation: 173 methods: ["GET"] 174 paths: ["/info*"] 175 - operation: 176 methods: ["POST"] 177 paths: ["/data"] 178 when: 179 - key: request.auth.claims[iss] 180 values: ["https://accounts.google.com"] 181 --- 182 apiVersion: v1 183 kind: Namespace 184 metadata: 185 name: prod-httpbin 186 labels: 187 istio-injection: "enabled" 188 spec: {} 189 --- 190 apiVersion: v1 191 kind: Namespace 192 metadata: 193 name: httpbin-test 194 labels: 195 istio-injection: "enabled" 196 spec: {} 197 --- 198 apiVersion: security.istio.io/v1beta1 199 kind: AuthorizationPolicy 200 metadata: 201 name: httpbin-bogus-not-ns # Invalid: There are two namespaces in the source notNamespaces that doesn't exist 202 namespace: httpbin 203 spec: 204 selector: 205 matchLabels: 206 app: httpbin 207 version: v1 208 rules: 209 - from: 210 - source: 211 principals: ["cluster.local/ns/default/sa/sleep"] 212 - source: 213 notNamespaces: 214 - "prod-*" 215 - "*-test" 216 - "*-bogus" # No namespace matching 217 - "bogus-*" # No namespace matching 218 - "*" 219 - "httpbin" 220 to: 221 - operation: 222 methods: ["GET"] 223 paths: ["/info*"] 224 - operation: 225 methods: ["POST"] 226 paths: ["/data"] 227 when: 228 - key: request.auth.claims[iss] 229 values: ["https://accounts.google.com"] 230 --- 231 apiVersion: security.istio.io/v1beta1 232 kind: AuthorizationPolicy 233 metadata: 234 name: httpbin-bogus-ns # Invalid: there is one source namespace expr that doesn't match any namespace 235 namespace: httpbin 236 spec: 237 selector: 238 matchLabels: 239 app: httpbin 240 version: v1 241 rules: 242 - from: 243 - source: 244 principals: ["cluster.local/ns/default/sa/sleep"] 245 - source: 246 namespaces: 247 - "prod-*" 248 - "*-test" 249 - "*-bogus" # No namespace matching 250 - "bogus-*" # No namespace matching 251 - "*" 252 - "httpbin" 253 to: 254 - operation: 255 methods: ["GET"] 256 paths: ["/info*"] 257 - operation: 258 methods: ["POST"] 259 paths: ["/data"] 260 when: 261 - key: request.auth.claims[iss] 262 values: ["https://accounts.google.com"] 263 --- 264 apiVersion: v1 265 kind: Pod 266 metadata: 267 labels: 268 app: httpbin 269 version: v1 270 name: httpbin-55bf89f8c9-wzfrh 271 namespace: httpbin 272 spec: 273 containers: 274 - image: gcr.io/google-samples/microservices-demo/adservice:v0.1.1 275 name: server 276 --- 277 apiVersion: security.istio.io/v1beta1 278 kind: AuthorizationPolicy 279 metadata: 280 name: no-workload # Invalid: there is one not matching any workload 281 namespace: test-ambient 282 spec: 283 selector: 284 matchLabels: 285 app: httpbin 286 version: v1 287 rules: 288 - from: 289 - source: 290 principals: [ "cluster.local/ns/default/sa/sleep" ] 291 - source: 292 namespaces: [ "httpbin" ] # Namespace exists 293 to: 294 - operation: 295 methods: [ "GET" ] 296 paths: [ "/info*" ] 297 - operation: 298 methods: [ "POST" ] 299 paths: [ "/data" ] 300 when: 301 - key: request.auth.claims[iss] 302 values: [ "https://accounts.google.com" ] 303 --- 304 apiVersion: security.istio.io/v1beta1 305 kind: AuthorizationPolicy 306 metadata: 307 name: valid-policy # this is valid since it will match the pod with ambient mode 308 namespace: test-ambient 309 spec: 310 selector: 311 matchLabels: 312 app: sleep 313 version: v1 314 rules: 315 - from: 316 - source: 317 principals: [ "cluster.local/ns/default/sa/sleep" ] 318 - source: 319 namespaces: [ "httpbin" ] # Namespace exists 320 to: 321 - operation: 322 methods: [ "GET" ] 323 paths: [ "/info*" ] 324 - operation: 325 methods: [ "POST" ] 326 paths: [ "/data" ] 327 when: 328 - key: request.auth.claims[iss] 329 values: [ "https://accounts.google.com" ] 330 --- 331 apiVersion: v1 332 kind: Pod 333 metadata: 334 labels: 335 app: sleep 336 version: v1 337 annotations: 338 ambient.istio.io/redirection: enabled 339 name: sleep-55bf89f8c9-wzfrh 340 namespace: test-ambient 341 spec: 342 containers: 343 - image: gcr.io/google-samples/microservices-demo/adservice:v0.1.1 344 name: server