| apiVersion: security.istio.io/v1beta1 |
| kind: AuthorizationPolicy |
| metadata: |
| name: httpbin-deny |
| namespace: foo |
| spec: |
| action: DENY |
| rules: |
| # rule[0] `from`: HTTP field, `to`: HTTP field. |
| - from: |
| - source: |
| requestPrincipals: ["id-1"] |
| to: |
| - operation: |
| methods: ["GET"] |
| # rule[1] `from`: nil, `to`: HTTP field. |
| - to: |
| - operation: |
| methods: ["GET"] |
| # rule[2] `from`: HTTP field, `to`: nil. |
| - from: |
| - source: |
| requestPrincipals: ["id-1"] |
| # rule[3] `from`: TCP field, `to`: HTTP field. |
| - from: |
| - source: |
| namespaces: ["ns-1"] |
| to: |
| - operation: |
| methods: ["GET"] |
| # rule[4] `from`: HTTP field, `to`: TCP field. |
| - from: |
| - source: |
| requestPrincipals: ["id-1"] |
| to: |
| - operation: |
| ports: ["80"] |
| # rule[5] `from`: TCP field, `to`: TCP field. |
| - from: |
| - source: |
| namespaces: ["ns-1"] |
| to: |
| - operation: |
| ports: ["80"] |
| # rule[6] `from`: nil, `to`: nil, `when`: HTTP field. |
| - when: |
| - key: "request.headers[:method]" |
| values: ["GET"] |
| # rule[7] `from`: nil, `to`: nil, `when`: TCP field. |
| - when: |
| - key: "destination.port" |
| values: ["80"] |
| # rule[8] `from`: all fields, `to`: all fields, `when`: all fields. |
| - from: |
| - source: |
| principals: ["principal", "*principal-suffix", "principal-prefix*", "*"] |
| requestPrincipals: ["requestPrincipals"] |
| namespaces: ["ns", "*ns-suffix", "ns-prefix*", "*"] |
| ipBlocks: ["1.2.3.4"] |
| remoteIpBlocks: ["172.18.4.0/22"] |
| notPrincipals: ["not-principal", "*not-principal-suffix", "not-principal-prefix*", "*"] |
| notRequestPrincipals: ["not-requestPrincipals"] |
| notNamespaces: ["not-ns", "*not-ns-suffix", "not-ns-prefix*", "*"] |
| notIpBlocks: ["9.0.0.1"] |
| notRemoteIpBlocks: ["192.168.244.139"] |
| to: |
| - operation: |
| methods: ["method"] |
| hosts: ["exact.com"] |
| ports: ["80"] |
| paths: ["/exact"] |
| notMethods: ["not-method"] |
| notHosts: ["not-exact.com"] |
| notPorts: ["8000"] |
| notPaths: ["/not-exact"] |
| when: |
| - key: "request.headers[X-header]" |
| values: ["header"] |
| notValues: ["not-header"] |
| - key: "source.ip" |
| values: ["10.10.10.10"] |
| notValues: ["90.10.10.10"] |
| - key: "remote.ip" |
| values: ["192.168.3.3"] |
| notValues: ["172.19.31.3"] |
| - key: "source.namespace" |
| values: ["ns", "*ns-suffix", "ns-prefix*", "*"] |
| notValues: ["not-ns", "*not-ns-suffix", "not-ns-prefix*", "*"] |
| - key: "source.principal" |
| values: ["principal", "*principal-suffix", "principal-prefix*", "*"] |
| notValues: ["not-principal", "*not-principal-suffix", "not-principal-prefix*", "*"] |
| - key: "request.auth.principal" |
| values: ["requestPrincipals"] |
| notValues: ["not-requestPrincipals"] |
| - key: "request.auth.audiences" |
| values: ["audiences"] |
| notValues: ["not-audiences"] |
| - key: "request.auth.presenter" |
| values: ["presenter"] |
| notValues: ["not-presenter"] |
| - key: "request.auth.claims[iss]" |
| values: ["iss"] |
| notValues: ["not-iss"] |
| - key: "destination.ip" |
| values: ["10.10.10.10"] |
| notValues: ["90.10.10.10"] |
| - key: "destination.port" |
| values: ["91"] |
| notValues: ["9001"] |
| - key: "connection.sni" |
| values: ["exact.com"] |
| notValues: ["not-exact.com"] |
| - key: "experimental.envoy.filters.a.b[c]" |
| values: ["exact"] |
| notValues: ["not-exact"] |