istio.io/istio@v0.0.0-20240520182934-d79c90f27776/tests/integration/security/testdata/authz/conditions.yaml.tmpl

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/tests/integration/security/testdata/authz/conditions.yaml.tmpl (about)

     1  apiVersion: security.istio.io/v1beta1
     2  kind: AuthorizationPolicy
     3  metadata:
     4    name: {{ .To.ServiceName }}-request-headers
     5  spec:
     6    selector:
     7      matchLabels:
     8        app: "{{ .To.ServiceName }}"
     9    rules:
    10    - to:
    11      - operation:
    12          paths: [ "/request-headers" ]
    13      when:
    14      - key: request.headers[x-foo]
    15        values: [ "foo" ]
    16    - to:
    17        - operation:
    18            paths: [ "/request-headers-notValues" ]
    19      when:
    20        - key: request.headers[x-foo]
    21          notValues: [ "bar" ]
    22  ---
    23  
    24  apiVersion: security.istio.io/v1beta1
    25  kind: AuthorizationPolicy
    26  metadata:
    27    name: {{ .To.ServiceName }}-source-ip
    28  spec:
    29    selector:
    30      matchLabels:
    31        app: "{{ .To.ServiceName }}"
    32    rules:
    33    - to:
    34      - operation:
    35          paths: [ "/source-ip" ]
    36      when:
    37      - key: source.ip
    38        values: {{ .Allowed.MustWorkloads.Addresses | toJson }}
    39    - to:
    40        - operation:
    41            paths: [ "/source-ip-notValues" ]
    42      when:
    43        - key: source.ip
    44          notValues: {{ .Denied.MustWorkloads.Addresses | toJson }}
    45  ---
    46  
    47  apiVersion: security.istio.io/v1beta1
    48  kind: AuthorizationPolicy
    49  metadata:
    50    name: {{ .To.ServiceName }}-source-namespace
    51  spec:
    52    selector:
    53      matchLabels:
    54        app: "{{ .To.ServiceName }}"
    55    rules:
    56    - to:
    57      - operation:
    58          paths: [ "/source-namespace" ]
    59      when:
    60      - key: source.namespace
    61        values: [ "{{ .Allowed.NamespaceName }}" ]
    62    - to:
    63        - operation:
    64            paths: [ "/source-namespace-notValues" ]
    65      when:
    66        - key: source.namespace
    67          notValues: [ "{{ .Denied.NamespaceName }}" ]
    68  ---
    69  
    70  apiVersion: security.istio.io/v1beta1
    71  kind: AuthorizationPolicy
    72  metadata:
    73    name: {{ .To.ServiceName }}-source-principal
    74  spec:
    75    selector:
    76      matchLabels:
    77        app: "{{ .To.ServiceName }}"
    78    rules:
    79    - to:
    80      - operation:
    81          paths: [ "/source-principal" ]
    82      when:
    83      - key: source.principal
    84        values: [ "{{ .Allowed.ServiceAccountName }}" ]
    85    - to:
    86        - operation:
    87            paths: [ "/source-principal-notValues" ]
    88      when:
    89        - key: source.principal
    90          notValues: [ "{{ .Denied.ServiceAccountName }}" ]
    91  ---
    92  
    93  apiVersion: security.istio.io/v1beta1
    94  kind: AuthorizationPolicy
    95  metadata:
    96    name: {{ .To.ServiceName }}-destination-ip
    97  spec:
    98    selector:
    99      matchLabels:
   100        app: "{{ .To.ServiceName }}"
   101    rules:
   102    - to:
   103      - operation:
   104          paths: [ "/destination-ip-good" ]
   105      when:
   106      - key: destination.ip
   107        values: {{ .To.MustWorkloads.Addresses | toJson }}
   108    - to:
   109      - operation:
   110          paths: [ "/destination-ip-bad" ]
   111      when:
   112      - key: destination.ip
   113        values: [ "1.2.3.4" ]
   114    - to:
   115        - operation:
   116            paths: [ "/destination-ip-notValues" ]
   117      when:
   118        - key: destination.ip
   119          notValues: {{ .To.MustWorkloads.Addresses | toJson }}
   120  ---
   121  
   122  apiVersion: security.istio.io/v1beta1
   123  kind: AuthorizationPolicy
   124  metadata:
   125    name: {{ .To.ServiceName }}-destination-port
   126  spec:
   127    selector:
   128      matchLabels:
   129        app: "{{ .To.ServiceName }}"
   130    rules:
   131    - to:
   132      - operation:
   133          paths: [ "/destination-port-good" ]
   134      when:
   135      - key: destination.port
   136        values: [ "{{ ( .To.PortForName `http` ).WorkloadPort }}" ]
   137    - to:
   138      - operation:
   139          paths: [ "/destination-port-bad" ]
   140      when:
   141      - key: destination.port
   142        values: [ "1" ]
   143    - to:
   144        - operation:
   145            paths: [ "/destination-port-notValues" ]
   146      when:
   147        - key: destination.port
   148          notValues: [ "{{ ( .To.PortForName `http` ).WorkloadPort }}" ]
   149  ---
   150  
   151  apiVersion: security.istio.io/v1beta1
   152  kind: AuthorizationPolicy
   153  metadata:
   154    name: {{ .To.ServiceName }}-connection-sni
   155  spec:
   156    selector:
   157      matchLabels:
   158        app: "{{ .To.ServiceName }}"
   159    rules:
   160    - to:
   161      - operation:
   162          paths: [ "/connection-sni-good" ]
   163      when:
   164      - key: connection.sni
   165        values: [ "*.{{ .To.ClusterLocalFQDN }}" ]
   166    - to:
   167      - operation:
   168          paths: [ "/connection-sni-bad" ]
   169      when:
   170      - key: connection.sni
   171        values: [ "never-matched" ]
   172    - to:
   173        - operation:
   174            paths: [ "/connection-sni-notValues" ]
   175      when:
   176        - key: connection.sni
   177          notValues: [ "*.{{ .To.ClusterLocalFQDN }}" ]
   178  ---