Google Git
Sign in
apache / dubbo-go-pixiu / de9f1befd6a6e38513ea5e704a5488ed608df7d5 / . / pilot / pkg / security / authz / builder / testdata / tcp / audit-both-http-tcp-out.yaml
blob: 3b180662567dfdba2d6a2e7d582172680e724f47 [file] [log] [blame]
name: envoy.filters.network.rbac
typedConfig:
'@type': type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC
rules:
action: LOG
policies:
ns[foo]-policy[httpbin-audit]-rule[0]:
permissions:
- andRules:
rules:
- orRules:
rules:
- destinationPort: 80
- notRule:
orRules:
rules:
- destinationPort: 8000
- orRules:
rules:
- destinationIp:
addressPrefix: 10.10.10.10
prefixLen: 32
- notRule:
orRules:
rules:
- destinationIp:
addressPrefix: 90.10.10.10
prefixLen: 32
- orRules:
rules:
- destinationPort: 91
- notRule:
orRules:
rules:
- destinationPort: 9001
- orRules:
rules:
- requestedServerName:
exact: exact.com
- notRule:
orRules:
rules:
- requestedServerName:
exact: not-exact.com
- orRules:
rules:
- metadata:
filter: envoy.filters.a.b
path:
- key: c
value:
stringMatch:
exact: exact
- notRule:
orRules:
rules:
- metadata:
filter: envoy.filters.a.b
path:
- key: c
value:
stringMatch:
exact: not-exact
principals:
- andIds:
ids:
- orIds:
ids:
- authenticated:
principalName:
exact: spiffe://principal
- notId:
orIds:
ids:
- authenticated:
principalName:
exact: spiffe://not-principal
- orIds:
ids:
- authenticated:
principalName:
safeRegex:
googleRe2: {}
regex: .*/ns/ns/.*
- notId:
orIds:
ids:
- authenticated:
principalName:
safeRegex:
googleRe2: {}
regex: .*/ns/not-ns/.*
- orIds:
ids:
- remoteIp:
addressPrefix: 10.250.90.4
prefixLen: 32
- notId:
orIds:
ids:
- remoteIp:
addressPrefix: 10.133.154.65
prefixLen: 32
- orIds:
ids:
- directRemoteIp:
addressPrefix: 1.2.3.4
prefixLen: 32
- notId:
orIds:
ids:
- directRemoteIp:
addressPrefix: 9.0.0.1
prefixLen: 32
- orIds:
ids:
- directRemoteIp:
addressPrefix: 10.10.10.10
prefixLen: 32
- notId:
orIds:
ids:
- directRemoteIp:
addressPrefix: 90.10.10.10
prefixLen: 32
- orIds:
ids:
- remoteIp:
addressPrefix: 192.168.7.7
prefixLen: 32
- notId:
orIds:
ids:
- remoteIp:
addressPrefix: 192.168.10.9
prefixLen: 32
- orIds:
ids:
- authenticated:
principalName:
safeRegex:
googleRe2: {}
regex: .*/ns/ns/.*
- notId:
orIds:
ids:
- authenticated:
principalName:
safeRegex:
googleRe2: {}
regex: .*/ns/not-ns/.*
- orIds:
ids:
- authenticated:
principalName:
exact: spiffe://principal
- notId:
orIds:
ids:
- authenticated:
principalName:
exact: spiffe://not-principal
shadowRulesStatPrefix: istio_dry_run_allow_
statPrefix: tcp.