| name: envoy.filters.http.rbac |
| typedConfig: |
| '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC |
| rules: |
| policies: |
| ns[foo]-policy[httpbin-1]-rule[0]: |
| permissions: |
| - andRules: |
| rules: |
| - orRules: |
| rules: |
| - header: |
| exactMatch: GET |
| name: :method |
| - header: |
| exactMatch: POST |
| name: :method |
| principals: |
| - andIds: |
| ids: |
| - any: true |
| ns[foo]-policy[httpbin-2]-rule[0]: |
| permissions: |
| - andRules: |
| rules: |
| - orRules: |
| rules: |
| - urlPath: |
| path: |
| exact: /v1 |
| - urlPath: |
| path: |
| exact: /v2 |
| principals: |
| - andIds: |
| ids: |
| - any: true |
| ns[foo]-policy[httpbin-3]-rule[0]: |
| permissions: |
| - andRules: |
| rules: |
| - orRules: |
| rules: |
| - header: |
| name: :authority |
| stringMatch: |
| exact: google.com |
| ignoreCase: true |
| - header: |
| name: :authority |
| stringMatch: |
| exact: httpbin.org |
| ignoreCase: true |
| principals: |
| - andIds: |
| ids: |
| - any: true |
| ns[foo]-policy[httpbin-4]-rule[0]: |
| permissions: |
| - andRules: |
| rules: |
| - orRules: |
| rules: |
| - destinationPort: 80 |
| - destinationPort: 90 |
| principals: |
| - andIds: |
| ids: |
| - any: true |
| ns[foo]-policy[httpbin-5]-rule[0]: |
| permissions: |
| - andRules: |
| rules: |
| - any: true |
| principals: |
| - andIds: |
| ids: |
| - orIds: |
| ids: |
| - authenticated: |
| principalName: |
| exact: spiffe://principals1 |
| - authenticated: |
| principalName: |
| exact: spiffe://principals2 |
| ns[foo]-policy[httpbin-6]-rule[0]: |
| permissions: |
| - andRules: |
| rules: |
| - any: true |
| principals: |
| - andIds: |
| ids: |
| - orIds: |
| ids: |
| - metadata: |
| filter: istio_authn |
| path: |
| - key: request.auth.principal |
| value: |
| stringMatch: |
| exact: requestPrincipals1 |
| - metadata: |
| filter: istio_authn |
| path: |
| - key: request.auth.principal |
| value: |
| stringMatch: |
| exact: requestPrincipals2 |
| ns[foo]-policy[httpbin-7]-rule[0]: |
| permissions: |
| - andRules: |
| rules: |
| - any: true |
| principals: |
| - andIds: |
| ids: |
| - orIds: |
| ids: |
| - authenticated: |
| principalName: |
| safeRegex: |
| googleRe2: {} |
| regex: .*/ns/namespaces1/.* |
| - authenticated: |
| principalName: |
| safeRegex: |
| googleRe2: {} |
| regex: .*/ns/namespaces2/.* |
| ns[foo]-policy[httpbin-8]-rule[0]: |
| permissions: |
| - andRules: |
| rules: |
| - any: true |
| principals: |
| - andIds: |
| ids: |
| - orIds: |
| ids: |
| - directRemoteIp: |
| addressPrefix: 1.2.3.4 |
| prefixLen: 32 |
| - directRemoteIp: |
| addressPrefix: 5.6.7.0 |
| prefixLen: 24 |
| ns[foo]-policy[httpbin-9]-rule[0]: |
| permissions: |
| - andRules: |
| rules: |
| - any: true |
| principals: |
| - andIds: |
| ids: |
| - orIds: |
| ids: |
| - header: |
| exactMatch: abc1 |
| name: X-abc |
| - header: |
| exactMatch: abc2 |
| name: X-abc |
| shadowRulesStatPrefix: istio_dry_run_allow_ |