pkg/config/analysis/analyzers/testdata/authorizationpolicies.yaml - dubbo-go-pixiu - Git at Google

 apiVersion: v1
 kind: Namespace
 metadata:
   name: httpbin
   labels:
     istio-injection: "enabled"
 spec: {}
 ---
 apiVersion: v1
 kind: Service
 metadata:
   name: httpbin
   namespace: httpbin
   labels:
     app: httpbin
 spec:
   ports:
   - name: http
     port: 8000
     targetPort: 80
   selector:
     app: httpbin
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: httpbin
   namespace: httpbin
 spec:
   replicas: 1
   selector:
     matchLabels:
       app: httpbin
       version: v1
   template:
     metadata:
       labels:
         app: httpbin
         version: v1
     spec:
       containers:
       - image: docker.io/kennethreitz/httpbin
         imagePullPolicy: IfNotPresent
         name: httpbin
         ports:
         - containerPort: 80
 ---
 apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
   name: istio
   namespace: httpbin
 spec:
   hosts:
   - subsystem.istio.io
   - "*.kiali.io"
   location: MESH_EXTERNAL
   ports:
   - number: 80
     name: http
     protocol: HTTP
   resolution: DNS
 ---
 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: httpbin # This is a correct scenario
   namespace: httpbin
 spec:
   selector: # There are workloads matching this selector
     matchLabels:
       app: httpbin
       version: v1
   rules:
     - from:
         - source:
             principals: ["cluster.local/ns/default/sa/sleep"]
         - source:
             namespaces: ["httpbin"] # Namespace exists
       to:
         - operation:
             methods: ["GET"]
             paths: ["/info*"]
         - operation:
             methods: ["POST"]
             paths: ["/data"]
       when:
         - key: request.auth.claims[iss]
           values: ["https://accounts.google.com"]
 ---
 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: meshwide-httpbin
   namespace: dubbo-system # valid: it applies to whole mesh
 spec:
   {}
 ---
 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: meshwide-httpbin-v1
   namespace: dubbo-system # invalid: no pods running anywhere in the mesh
 spec:
   selector:
     matchLabels:
       version: bogus-version
 ---
 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: httpbin-empty-namespace-wide # Invalid, no pods running
   namespace: httpbin-empty
 spec:
   rules:
     - from:
         - source:
             principals: ["cluster.local/ns/default/sa/sleep"]
         - source:
             namespaces: ["httpbin"]
       to:
         - operation:
             methods: ["GET"]
             paths: ["/info*"]
         - operation:
             methods: ["POST"]
             paths: ["/data"]
       when:
         - key: request.auth.claims[iss]
           values: ["https://accounts.google.com"]
 ---
 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: httpbin-namespace-wide # valid, one pod running
   namespace: httpbin
 spec:
   rules:
     - from:
         - source:
             principals: ["cluster.local/ns/default/sa/sleep"]
         - source:
             namespaces: ["httpbin"]
       to:
         - operation:
             methods: ["GET"]
             paths: ["/info*"]
         - operation:
             methods: ["POST"]
             paths: ["/data"]
       when:
         - key: request.auth.claims[iss]
           values: ["https://accounts.google.com"]
 ---
 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: httpbin-nopods # Invalid: there aren't matching workloads for this selector
   namespace: httpbin
 spec:
   selector:
     matchLabels:
       app: bogus-label # Bogus label. No matching workloads
       version: v1
   rules:
     - from:
         - source:
             principals: ["cluster.local/ns/default/sa/sleep"]
         - source:
             namespaces: ["httpbin"]
       to:
         - operation:
             methods: ["GET"]
             paths: ["/info*"]
         - operation:
             methods: ["POST"]
             paths: ["/data"]
       when:
         - key: request.auth.claims[iss]
           values: ["https://accounts.google.com"]
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
   name: prod-httpbin
   labels:
     istio-injection: "enabled"
 spec: {}
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
   name: httpbin-test
   labels:
     istio-injection: "enabled"
 spec: {}
 ---
 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: httpbin-bogus-not-ns # Invalid: There are two namespaces in the source notNamespaces that doesn't exist
   namespace: httpbin
 spec:
   selector:
     matchLabels:
       app: httpbin
       version: v1
   rules:
     - from:
         - source:
             principals: ["cluster.local/ns/default/sa/sleep"]
         - source:
             notNamespaces:
               - "prod-*"
               - "*-test"
               - "*-bogus" # No namespace matching
               - "bogus-*" # No namespace matching
               - "*"
               - "httpbin"
       to:
         - operation:
             methods: ["GET"]
             paths: ["/info*"]
         - operation:
             methods: ["POST"]
             paths: ["/data"]
       when:
         - key: request.auth.claims[iss]
           values: ["https://accounts.google.com"]
 ---
 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: httpbin-bogus-ns # Invalid: there is one source namespace expr that doesn't match any namespace
   namespace: httpbin
 spec:
   selector:
     matchLabels:
       app: httpbin
       version: v1
   rules:
     - from:
         - source:
             principals: ["cluster.local/ns/default/sa/sleep"]
         - source:
             namespaces:
               - "prod-*"
               - "*-test"
               - "*-bogus" # No namespace matching
               - "bogus-*" # No namespace matching
               - "*"
               - "httpbin"
       to:
         - operation:
             methods: ["GET"]
             paths: ["/info*"]
         - operation:
             methods: ["POST"]
             paths: ["/data"]
       when:
         - key: request.auth.claims[iss]
           values: ["https://accounts.google.com"]
 ---
 apiVersion: v1
 kind: Pod
 metadata:
   labels:
     app: httpbin
     version: v1
   name: httpbin-55bf89f8c9-wzfrh
   namespace: httpbin
 spec:
   containers:
     - image: gcr.io/google-samples/microservices-demo/adservice:v0.1.1
       name: server
	apiVersion: v1
	kind: Namespace
	metadata:
	name: httpbin
	labels:
	istio-injection: "enabled"
	spec: {}
	---
	apiVersion: v1
	kind: Service
	metadata:
	name: httpbin
	namespace: httpbin
	labels:
	app: httpbin
	spec:
	ports:
	- name: http
	port: 8000
	targetPort: 80
	selector:
	app: httpbin
	---
	apiVersion: apps/v1
	kind: Deployment
	metadata:
	name: httpbin
	namespace: httpbin
	spec:
	replicas: 1
	selector:
	matchLabels:
	app: httpbin
	version: v1
	template:
	metadata:
	labels:
	app: httpbin
	version: v1
	spec:
	containers:
	- image: docker.io/kennethreitz/httpbin
	imagePullPolicy: IfNotPresent
	name: httpbin
	ports:
	- containerPort: 80
	---
	apiVersion: networking.istio.io/v1alpha3
	kind: ServiceEntry
	metadata:
	name: istio
	namespace: httpbin
	spec:
	hosts:
	- subsystem.istio.io
	- "*.kiali.io"
	location: MESH_EXTERNAL
	ports:
	- number: 80
	name: http
	protocol: HTTP
	resolution: DNS
	---
	apiVersion: security.istio.io/v1beta1
	kind: AuthorizationPolicy
	metadata:
	name: httpbin # This is a correct scenario
	namespace: httpbin
	spec:
	selector: # There are workloads matching this selector
	matchLabels:
	app: httpbin
	version: v1
	rules:
	- from:
	- source:
	principals: ["cluster.local/ns/default/sa/sleep"]
	- source:
	namespaces: ["httpbin"] # Namespace exists
	to:
	- operation:
	methods: ["GET"]
	paths: ["/info*"]
	- operation:
	methods: ["POST"]
	paths: ["/data"]
	when:
	- key: request.auth.claims[iss]
	values: ["https://accounts.google.com"]
	---
	apiVersion: security.istio.io/v1beta1
	kind: AuthorizationPolicy
	metadata:
	name: meshwide-httpbin
	namespace: dubbo-system # valid: it applies to whole mesh
	spec:
	{}
	---
	apiVersion: security.istio.io/v1beta1
	kind: AuthorizationPolicy
	metadata:
	name: meshwide-httpbin-v1
	namespace: dubbo-system # invalid: no pods running anywhere in the mesh
	spec:
	selector:
	matchLabels:
	version: bogus-version
	---
	apiVersion: security.istio.io/v1beta1
	kind: AuthorizationPolicy
	metadata:
	name: httpbin-empty-namespace-wide # Invalid, no pods running
	namespace: httpbin-empty
	spec:
	rules:
	- from:
	- source:
	principals: ["cluster.local/ns/default/sa/sleep"]
	- source:
	namespaces: ["httpbin"]
	to:
	- operation:
	methods: ["GET"]
	paths: ["/info*"]
	- operation:
	methods: ["POST"]
	paths: ["/data"]
	when:
	- key: request.auth.claims[iss]
	values: ["https://accounts.google.com"]
	---
	apiVersion: security.istio.io/v1beta1
	kind: AuthorizationPolicy
	metadata:
	name: httpbin-namespace-wide # valid, one pod running
	namespace: httpbin
	spec:
	rules:
	- from:
	- source:
	principals: ["cluster.local/ns/default/sa/sleep"]
	- source:
	namespaces: ["httpbin"]
	to:
	- operation:
	methods: ["GET"]
	paths: ["/info*"]
	- operation:
	methods: ["POST"]
	paths: ["/data"]
	when:
	- key: request.auth.claims[iss]
	values: ["https://accounts.google.com"]
	---
	apiVersion: security.istio.io/v1beta1
	kind: AuthorizationPolicy
	metadata:
	name: httpbin-nopods # Invalid: there aren't matching workloads for this selector
	namespace: httpbin
	spec:
	selector:
	matchLabels:
	app: bogus-label # Bogus label. No matching workloads
	version: v1
	rules:
	- from:
	- source:
	principals: ["cluster.local/ns/default/sa/sleep"]
	- source:
	namespaces: ["httpbin"]
	to:
	- operation:
	methods: ["GET"]
	paths: ["/info*"]
	- operation:
	methods: ["POST"]
	paths: ["/data"]
	when:
	- key: request.auth.claims[iss]
	values: ["https://accounts.google.com"]
	---
	apiVersion: v1
	kind: Namespace
	metadata:
	name: prod-httpbin
	labels:
	istio-injection: "enabled"
	spec: {}
	---
	apiVersion: v1
	kind: Namespace
	metadata:
	name: httpbin-test
	labels:
	istio-injection: "enabled"
	spec: {}
	---
	apiVersion: security.istio.io/v1beta1
	kind: AuthorizationPolicy
	metadata:
	name: httpbin-bogus-not-ns # Invalid: There are two namespaces in the source notNamespaces that doesn't exist
	namespace: httpbin
	spec:
	selector:
	matchLabels:
	app: httpbin
	version: v1
	rules:
	- from:
	- source:
	principals: ["cluster.local/ns/default/sa/sleep"]
	- source:
	notNamespaces:
	- "prod-*"
	- "*-test"
	- "*-bogus" # No namespace matching
	- "bogus-*" # No namespace matching
	- "*"
	- "httpbin"
	to:
	- operation:
	methods: ["GET"]
	paths: ["/info*"]
	- operation:
	methods: ["POST"]
	paths: ["/data"]
	when:
	- key: request.auth.claims[iss]
	values: ["https://accounts.google.com"]
	---
	apiVersion: security.istio.io/v1beta1
	kind: AuthorizationPolicy
	metadata:
	name: httpbin-bogus-ns # Invalid: there is one source namespace expr that doesn't match any namespace
	namespace: httpbin
	spec:
	selector:
	matchLabels:
	app: httpbin
	version: v1
	rules:
	- from:
	- source:
	principals: ["cluster.local/ns/default/sa/sleep"]
	- source:
	namespaces:
	- "prod-*"
	- "*-test"
	- "*-bogus" # No namespace matching
	- "bogus-*" # No namespace matching
	- "*"
	- "httpbin"
	to:
	- operation:
	methods: ["GET"]
	paths: ["/info*"]
	- operation:
	methods: ["POST"]
	paths: ["/data"]
	when:
	- key: request.auth.claims[iss]
	values: ["https://accounts.google.com"]
	---
	apiVersion: v1
	kind: Pod
	metadata:
	labels:
	app: httpbin
	version: v1
	name: httpbin-55bf89f8c9-wzfrh
	namespace: httpbin
	spec:
	containers:
	- image: gcr.io/google-samples/microservices-demo/adservice:v0.1.1
	name: server