istio.io/istio@v0.0.0-20240520182934-d79c90f27776/tests/integration/security/testdata/authz/jwt.yaml.tmpl (about) 1 # Enforce access control based on JWT subject. 2 3 # The following policy enables JWT authentication on destination service. 4 5 apiVersion: security.istio.io/v1beta1 6 kind: RequestAuthentication 7 metadata: 8 name: default 9 spec: 10 jwtRules: 11 - issuer: "test-issuer-1@istio.io" 12 jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json" 13 - issuer: "test-issuer-2@istio.io" 14 jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json" 15 --- 16 17 # The following policy enables authorization on workload: 18 # - Allow request principal test-issuer-1@istio.io/sub-1 to access path /token1 19 # - Allow request in group-2 to access path /token2 20 # - Allow request with any token to access path /tokenAny 21 # - Allow request with permission claim of "write" or "append" to access path /permission 22 # - Allow request with valid JWT token to access path /jwt1 23 # - Allow request with valid JWT token of presenter bar to access path with suffix "/presenter" 24 # - Allow request with valid JWT token of audiences foo to access path with suffix "/audiences" 25 26 apiVersion: security.istio.io/v1beta1 27 kind: AuthorizationPolicy 28 metadata: 29 name: {{ .To.ServiceName }} 30 spec: 31 selector: 32 matchLabels: 33 "app": "{{ .To.ServiceName }}" 34 rules: 35 - to: 36 - operation: 37 paths: ["/token1"] 38 methods: ["GET"] 39 from: 40 - source: 41 requestPrincipals: ["test-issuer-1@istio.io/sub-1"] 42 - to: 43 - operation: 44 paths: ["/token2"] 45 methods: ["GET"] 46 when: 47 - key: request.auth.claims[groups] 48 values: ["group-2"] 49 - to: 50 - operation: 51 paths: ["/tokenAny"] 52 methods: ["GET"] 53 from: 54 - source: 55 requestPrincipals: ["*"] 56 - to: 57 - operation: 58 paths: ["/permission"] 59 methods: ["GET"] 60 when: 61 - key: request.auth.claims[permission] 62 values: ["write", "append"] 63 - to: 64 - operation: 65 paths: ["/nested-key1"] 66 methods: ["GET"] 67 when: 68 - key: request.auth.claims[nested][key1] 69 values: ["valueB"] 70 - to: 71 - operation: 72 paths: ["/nested-non-exist"] 73 methods: ["GET"] 74 when: 75 - key: request.auth.claims[nested][non-exist] 76 values: ["valueC"] 77 - to: 78 - operation: 79 paths: ["/nested-key2"] 80 methods: ["GET"] 81 when: 82 - key: request.auth.claims[nested][key2] 83 values: ["valueC"] 84 - to: 85 - operation: 86 paths: ["/nested-2-key1"] 87 methods: ["GET"] 88 when: 89 - key: request.auth.claims[nested][nested-2][key1] 90 values: ["valueA"] 91 - to: 92 - operation: 93 paths: ["/valid-jwt"] 94 when: 95 - key: request.auth.principal 96 values: ["*"] 97 - to: 98 - operation: 99 paths: ["*/presenter"] 100 when: 101 - key: request.auth.presenter 102 values: ["bar"] 103 - to: 104 - operation: 105 paths: ["*/audiences"] 106 when: 107 - key: request.auth.audiences 108 values: ["foo"] 109 - to: 110 - operation: 111 paths: ["/token3"] 112 methods: ["GET"] 113 from: 114 - source: 115 notRequestPrincipals: ["test-issuer-1@istio.io/sub-1"] 116 ---