istio.io/istio@v0.0.0-20240520182934-d79c90f27776/tests/integration/security/testdata/authz/ingress-gateway.yaml.tmpl

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/tests/integration/security/testdata/authz/ingress-gateway.yaml.tmpl (about)

     1  # The following policy denies access to "internal.{{ .To.ServiceName }}.company.com"
     2  # and path "/private", denies access from 172.17.72.46 or 192.168.4.0/23 to
     3  # "remoteipblocks.{{ .To.ServiceName }}.company.com", denies access from anything
     4  # but 172.23.240.0/22 to "notremoteipblocks.{{ .To.ServiceName }}.company.com",
     5  # and denies access to "remoteipattr.{{ .To.ServiceName }}.company.com" when the
     6  # remote ip is 10.242.5.7 or in the network 10.124.99.0/24.
     7  
     8  apiVersion: security.istio.io/v1beta1
     9  kind: AuthorizationPolicy
    10  metadata:
    11    name: policy-{{ .To.ServiceName }}
    12    namespace: {{ .SystemNamespace.Name }}
    13  spec:
    14    action: DENY
    15    selector:
    16      matchLabels:
    17        app: {{.GatewayIstioLabel | default "istio-ingressgateway"}}
    18    rules:
    19      - to:
    20          - operation:
    21              hosts: [
    22                "deny.{{ .To.ServiceName }}.com",
    23                "*.suffix.{{ .To.ServiceName }}.com",
    24                "prefix.{{ .To.ServiceName }}.*"]
    25      - to:
    26          - operation:
    27              hosts: ["internal.{{ .To.ServiceName }}.com"]
    28          - operation:
    29              paths: ["/private"]
    30      - from:
    31          - source:
    32              remoteIpBlocks: ["172.17.72.46", "192.168.4.0/23"]
    33        to:
    34          - operation:
    35              hosts: ["remoteipblocks.{{ .To.ServiceName }}.com"]
    36      - from:
    37          - source:
    38              notRemoteIpBlocks: ["172.23.240.0/22"]
    39        to:
    40          - operation:
    41              hosts: ["notremoteipblocks.{{ .To.ServiceName }}.com"]
    42      - to:
    43          - operation:
    44              hosts: ["remoteipattr.{{ .To.ServiceName }}.com"]
    45        when:
    46          - key: remote.ip
    47            values: ["10.242.5.7", "10.124.99.0/24"]
    48  ---
    49  
    50  # The following gateway allows request to "*.{{ .To.ServiceName }}.com"
    51  
    52  apiVersion: networking.istio.io/v1beta1
    53  kind: Gateway
    54  metadata:
    55    name: gw-{{ .To.ServiceName }}
    56    namespace: {{ .To.NamespaceName }}
    57  spec:
    58    selector:
    59      istio: ingressgateway # use istio default ingress gateway
    60    servers:
    61      - port:
    62          number: 80
    63          name: http
    64          protocol: HTTP
    65        hosts:
    66          - "*.{{ .To.ServiceName }}.com"
    67  ---
    68  
    69  # The following virtual service routes requests to workload
    70  
    71  apiVersion: networking.istio.io/v1beta1
    72  kind: VirtualService
    73  metadata:
    74    name: vs-{{ .To.ServiceName }}
    75    namespace: {{ .To.NamespaceName }}
    76  spec:
    77    hosts:
    78    - "*.{{ .To.ServiceName }}.com"
    79    gateways:
    80    - gw-{{ .To.ServiceName }}
    81    http:
    82    - route:
    83      - destination:
    84          host: "{{ .To.ClusterLocalFQDN }}"
    85          port:
    86            number: {{ (.To.PortForName "http").ServicePort }}