| name: envoy.filters.http.rbac |
| typedConfig: |
| '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC |
| rules: |
| policies: |
| ns[foo]-policy[httpbin]-rule[0]: |
| permissions: |
| - andRules: |
| rules: |
| - orRules: |
| rules: |
| - header: |
| name: :authority |
| stringMatch: |
| exact: rule[0]-to[0]-host[1] |
| ignoreCase: true |
| - header: |
| name: :authority |
| stringMatch: |
| exact: rule[0]-to[0]-host[2] |
| ignoreCase: true |
| - orRules: |
| rules: |
| - header: |
| exactMatch: rule[0]-to[0]-method[1] |
| name: :method |
| - header: |
| exactMatch: rule[0]-to[0]-method[2] |
| name: :method |
| - orRules: |
| rules: |
| - urlPath: |
| path: |
| exact: rule[0]-to[0]-path[1] |
| - urlPath: |
| path: |
| exact: rule[0]-to[0]-path[2] |
| - orRules: |
| rules: |
| - destinationPort: 9001 |
| - destinationPort: 9002 |
| - orRules: |
| rules: |
| - destinationIp: |
| addressPrefix: 10.10.10.10 |
| prefixLen: 32 |
| - destinationIp: |
| addressPrefix: 192.168.10.0 |
| prefixLen: 24 |
| - andRules: |
| rules: |
| - orRules: |
| rules: |
| - header: |
| name: :authority |
| stringMatch: |
| exact: rule[0]-to[1]-host[1] |
| ignoreCase: true |
| - header: |
| name: :authority |
| stringMatch: |
| exact: rule[0]-to[1]-host[2] |
| ignoreCase: true |
| - orRules: |
| rules: |
| - header: |
| exactMatch: rule[0]-to[1]-method[1] |
| name: :method |
| - header: |
| exactMatch: rule[0]-to[1]-method[2] |
| name: :method |
| - orRules: |
| rules: |
| - urlPath: |
| path: |
| exact: rule[0]-to[1]-path[1] |
| - urlPath: |
| path: |
| exact: rule[0]-to[1]-path[2] |
| - orRules: |
| rules: |
| - destinationPort: 9011 |
| - destinationPort: 9012 |
| - orRules: |
| rules: |
| - destinationIp: |
| addressPrefix: 10.10.10.10 |
| prefixLen: 32 |
| - destinationIp: |
| addressPrefix: 192.168.10.0 |
| prefixLen: 24 |
| principals: |
| - andIds: |
| ids: |
| - orIds: |
| ids: |
| - authenticated: |
| principalName: |
| exact: spiffe://rule[0]-from[0]-principal[1] |
| - authenticated: |
| principalName: |
| exact: spiffe://rule[0]-from[0]-principal[2] |
| - orIds: |
| ids: |
| - metadata: |
| filter: istio_authn |
| path: |
| - key: request.auth.principal |
| value: |
| stringMatch: |
| exact: rule[0]-from[0]-requestPrincipal[1] |
| - metadata: |
| filter: istio_authn |
| path: |
| - key: request.auth.principal |
| value: |
| stringMatch: |
| exact: rule[0]-from[0]-requestPrincipal[2] |
| - orIds: |
| ids: |
| - authenticated: |
| principalName: |
| safeRegex: |
| googleRe2: {} |
| regex: .*/ns/rule[0]-from[0]-ns[1]/.* |
| - authenticated: |
| principalName: |
| safeRegex: |
| googleRe2: {} |
| regex: .*/ns/rule[0]-from[0]-ns[2]/.* |
| - orIds: |
| ids: |
| - remoteIp: |
| addressPrefix: 172.16.10.10 |
| prefixLen: 32 |
| - orIds: |
| ids: |
| - directRemoteIp: |
| addressPrefix: 10.0.0.1 |
| prefixLen: 32 |
| - directRemoteIp: |
| addressPrefix: 10.0.0.2 |
| prefixLen: 32 |
| - orIds: |
| ids: |
| - header: |
| exactMatch: header |
| name: X-header |
| - header: |
| name: X-header |
| prefixMatch: header-prefix- |
| - header: |
| name: X-header |
| suffixMatch: -suffix-header |
| - header: |
| name: X-header |
| presentMatch: true |
| - orIds: |
| ids: |
| - remoteIp: |
| addressPrefix: 10.99.10.8 |
| prefixLen: 32 |
| - remoteIp: |
| addressPrefix: 10.80.64.0 |
| prefixLen: 18 |
| - andIds: |
| ids: |
| - orIds: |
| ids: |
| - authenticated: |
| principalName: |
| exact: spiffe://rule[0]-from[1]-principal[1] |
| - authenticated: |
| principalName: |
| exact: spiffe://rule[0]-from[1]-principal[2] |
| - orIds: |
| ids: |
| - metadata: |
| filter: istio_authn |
| path: |
| - key: request.auth.principal |
| value: |
| stringMatch: |
| exact: rule[0]-from[1]-requestPrincipal[1] |
| - metadata: |
| filter: istio_authn |
| path: |
| - key: request.auth.principal |
| value: |
| stringMatch: |
| exact: rule[0]-from[1]-requestPrincipal[2] |
| - orIds: |
| ids: |
| - authenticated: |
| principalName: |
| safeRegex: |
| googleRe2: {} |
| regex: .*/ns/rule[0]-from[1]-ns[1]/.* |
| - authenticated: |
| principalName: |
| safeRegex: |
| googleRe2: {} |
| regex: .*/ns/rule[0]-from[1]-ns[2]/.* |
| - orIds: |
| ids: |
| - remoteIp: |
| addressPrefix: 172.17.8.0 |
| prefixLen: 24 |
| - remoteIp: |
| addressPrefix: 172.17.9.4 |
| prefixLen: 32 |
| - orIds: |
| ids: |
| - directRemoteIp: |
| addressPrefix: 10.0.1.1 |
| prefixLen: 32 |
| - directRemoteIp: |
| addressPrefix: 192.0.1.2 |
| prefixLen: 32 |
| - orIds: |
| ids: |
| - header: |
| exactMatch: header |
| name: X-header |
| - header: |
| name: X-header |
| prefixMatch: header-prefix- |
| - header: |
| name: X-header |
| suffixMatch: -suffix-header |
| - header: |
| name: X-header |
| presentMatch: true |
| - orIds: |
| ids: |
| - remoteIp: |
| addressPrefix: 10.99.10.8 |
| prefixLen: 32 |
| - remoteIp: |
| addressPrefix: 10.80.64.0 |
| prefixLen: 18 |
| ns[foo]-policy[httpbin]-rule[1]: |
| permissions: |
| - andRules: |
| rules: |
| - orRules: |
| rules: |
| - header: |
| name: :authority |
| stringMatch: |
| exact: rule[1]-to[0]-host[1] |
| ignoreCase: true |
| - header: |
| name: :authority |
| stringMatch: |
| exact: rule[1]-to[0]-host[2] |
| ignoreCase: true |
| - orRules: |
| rules: |
| - header: |
| exactMatch: rule[1]-to[0]-method[1] |
| name: :method |
| - header: |
| exactMatch: rule[1]-to[0]-method[2] |
| name: :method |
| - orRules: |
| rules: |
| - urlPath: |
| path: |
| exact: rule[1]-to[0]-path[1] |
| - urlPath: |
| path: |
| exact: rule[1]-to[0]-path[2] |
| - orRules: |
| rules: |
| - destinationPort: 9101 |
| - destinationPort: 9102 |
| - andRules: |
| rules: |
| - orRules: |
| rules: |
| - header: |
| name: :authority |
| stringMatch: |
| exact: rule[1]-to[1]-host[1] |
| ignoreCase: true |
| - header: |
| name: :authority |
| stringMatch: |
| exact: rule[1]-to[1]-host[2] |
| ignoreCase: true |
| - orRules: |
| rules: |
| - header: |
| exactMatch: rule[1]-to[1]-method[1] |
| name: :method |
| - header: |
| exactMatch: rule[1]-to[1]-method[2] |
| name: :method |
| - orRules: |
| rules: |
| - urlPath: |
| path: |
| exact: rule[1]-to[1]-path[1] |
| - urlPath: |
| path: |
| exact: rule[1]-to[1]-path[2] |
| - orRules: |
| rules: |
| - destinationPort: 9111 |
| - destinationPort: 9112 |
| principals: |
| - andIds: |
| ids: |
| - orIds: |
| ids: |
| - authenticated: |
| principalName: |
| exact: spiffe://rule[1]-from[0]-principal[1] |
| - authenticated: |
| principalName: |
| exact: spiffe://rule[1]-from[0]-principal[2] |
| - orIds: |
| ids: |
| - metadata: |
| filter: istio_authn |
| path: |
| - key: request.auth.principal |
| value: |
| stringMatch: |
| exact: rule[1]-from[0]-requestPrincipal[1] |
| - metadata: |
| filter: istio_authn |
| path: |
| - key: request.auth.principal |
| value: |
| stringMatch: |
| exact: rule[1]-from[0]-requestPrincipal[2] |
| - orIds: |
| ids: |
| - authenticated: |
| principalName: |
| safeRegex: |
| googleRe2: {} |
| regex: .*/ns/rule[1]-from[0]-ns[1]/.* |
| - authenticated: |
| principalName: |
| safeRegex: |
| googleRe2: {} |
| regex: .*/ns/rule[1]-from[0]-ns[2]/.* |
| - orIds: |
| ids: |
| - remoteIp: |
| addressPrefix: 172.22.2.0 |
| prefixLen: 23 |
| - remoteIp: |
| addressPrefix: 172.21.234.254 |
| prefixLen: 32 |
| - orIds: |
| ids: |
| - directRemoteIp: |
| addressPrefix: 10.1.0.1 |
| prefixLen: 32 |
| - directRemoteIp: |
| addressPrefix: 10.1.0.2 |
| prefixLen: 32 |
| - andIds: |
| ids: |
| - orIds: |
| ids: |
| - authenticated: |
| principalName: |
| exact: spiffe://rule[1]-from[1]-principal[1] |
| - authenticated: |
| principalName: |
| exact: spiffe://rule[1]-from[1]-principal[2] |
| - orIds: |
| ids: |
| - metadata: |
| filter: istio_authn |
| path: |
| - key: request.auth.principal |
| value: |
| stringMatch: |
| exact: rule[1]-from[1]-requestPrincipal[1] |
| - metadata: |
| filter: istio_authn |
| path: |
| - key: request.auth.principal |
| value: |
| stringMatch: |
| exact: rule[1]-from[1]-requestPrincipal[2] |
| - orIds: |
| ids: |
| - authenticated: |
| principalName: |
| safeRegex: |
| googleRe2: {} |
| regex: .*/ns/rule[1]-from[1]-ns[1]/.* |
| - authenticated: |
| principalName: |
| safeRegex: |
| googleRe2: {} |
| regex: .*/ns/rule[1]-from[1]-ns[2]/.* |
| - orIds: |
| ids: |
| - remoteIp: |
| addressPrefix: 192.168.4.0 |
| prefixLen: 24 |
| - remoteIp: |
| addressPrefix: 192.168.7.8 |
| prefixLen: 32 |
| - orIds: |
| ids: |
| - directRemoteIp: |
| addressPrefix: 10.1.1.1 |
| prefixLen: 32 |
| - directRemoteIp: |
| addressPrefix: 192.1.1.2 |
| prefixLen: 32 |
| shadowRulesStatPrefix: istio_dry_run_allow_ |