| # The following policy enables mTLS for server side workload. |
| |
| apiVersion: security.istio.io/v1beta1 |
| kind: PeerAuthentication |
| metadata: |
| name: mtls |
| namespace: "{{ .NamespaceC }}" |
| spec: |
| selector: |
| matchLabels: |
| app: {{ .cSet }} |
| mtls: |
| mode: STRICT |
| --- |
| apiVersion: networking.istio.io/v1alpha3 |
| kind: DestinationRule |
| metadata: |
| name: mtls |
| namespace: "{{ .NamespaceC }}" |
| spec: |
| host: "{{ .cSet }}.{{ .NamespaceC }}.svc.cluster.local" |
| trafficPolicy: |
| tls: |
| mode: ISTIO_MUTUAL |
| --- |
| |
| # Each of the following authorization policy uses a different condition on the given path. |
| |
| apiVersion: security.istio.io/v1beta1 |
| kind: AuthorizationPolicy |
| metadata: |
| name: condition-request-headers |
| namespace: "{{ .NamespaceC }}" |
| spec: |
| selector: |
| matchLabels: |
| app: {{ .cSet }} |
| rules: |
| - to: |
| - operation: |
| paths: ["/request-headers"] |
| when: |
| - key: request.headers[x-foo] |
| values: ["foo"] |
| --- |
| |
| # Each of the following authorization policy uses a different condition on the given path. |
| |
| apiVersion: security.istio.io/v1beta1 |
| kind: AuthorizationPolicy |
| metadata: |
| name: condition-request-headers-notvalues |
| namespace: "{{ .NamespaceC }}" |
| spec: |
| selector: |
| matchLabels: |
| app: {{ .cSet }} |
| rules: |
| - to: |
| - operation: |
| paths: ["/request-headers-notValues-bar"] |
| when: |
| - key: request.headers[x-foo] |
| notValues: ["bar"] |
| --- |
| |
| apiVersion: security.istio.io/v1beta1 |
| kind: AuthorizationPolicy |
| metadata: |
| name: condition-source-ip |
| namespace: "{{ .NamespaceC }}" |
| spec: |
| selector: |
| matchLabels: |
| app: {{ .cSet }} |
| rules: |
| - to: |
| - operation: |
| paths: ["/source-ip-{{ .a }}"] |
| when: |
| - key: source.ip |
| values: {{ toJson .ipA }} |
| - to: |
| - operation: |
| paths: ["/source-ip-{{ .b }}"] |
| when: |
| - key: source.ip |
| values: {{ toJson .ipB }} |
| --- |
| |
| apiVersion: security.istio.io/v1beta1 |
| kind: AuthorizationPolicy |
| metadata: |
| name: condition-source-ip-notvalues |
| namespace: "{{ .NamespaceC }}" |
| spec: |
| selector: |
| matchLabels: |
| app: {{ .cSet }} |
| rules: |
| - to: |
| - operation: |
| paths: ["/source-ip-notValues-{{ .b }}"] |
| when: |
| - key: source.ip |
| notValues: {{ toJson .ipB }} |
| --- |
| |
| apiVersion: security.istio.io/v1beta1 |
| kind: AuthorizationPolicy |
| metadata: |
| name: condition-source-namespace |
| namespace: "{{ .NamespaceC }}" |
| spec: |
| selector: |
| matchLabels: |
| app: {{ .cSet }} |
| rules: |
| - to: |
| - operation: |
| paths: ["/source-namespace-{{ .a }}"] |
| when: |
| - key: source.namespace |
| values: ["{{ .NamespaceA }}"] |
| - to: |
| - operation: |
| paths: ["/source-namespace-{{ .b }}"] |
| when: |
| - key: source.namespace |
| values: ["{{ .NamespaceB }}"] |
| --- |
| |
| apiVersion: security.istio.io/v1beta1 |
| kind: AuthorizationPolicy |
| metadata: |
| name: condition-source-namespace-notvalues |
| namespace: "{{ .NamespaceC }}" |
| spec: |
| selector: |
| matchLabels: |
| app: {{ .cSet }} |
| rules: |
| - to: |
| - operation: |
| paths: ["/source-namespace-notValues-{{ .b }}"] |
| when: |
| - key: source.namespace |
| notValues: ["{{ .NamespaceB }}"] |
| --- |
| |
| apiVersion: security.istio.io/v1beta1 |
| kind: AuthorizationPolicy |
| metadata: |
| name: condition-source-principal |
| namespace: "{{ .NamespaceC }}" |
| spec: |
| selector: |
| matchLabels: |
| app: {{ .cSet }} |
| rules: |
| - to: |
| - operation: |
| paths: ["/source-principal-{{ .a }}"] |
| when: |
| - key: source.principal |
| values: ["cluster.local/ns/{{ .NamespaceA }}/sa/{{ .a }}"] |
| - to: |
| - operation: |
| paths: ["/source-principal-{{ .b }}"] |
| when: |
| - key: source.principal |
| values: ["cluster.local/ns/{{ .NamespaceB }}/sa/{{ .b }}"] |
| --- |
| |
| apiVersion: security.istio.io/v1beta1 |
| kind: AuthorizationPolicy |
| metadata: |
| name: condition-source-principal-notvalues |
| namespace: "{{ .NamespaceC }}" |
| spec: |
| selector: |
| matchLabels: |
| app: {{ .cSet }} |
| rules: |
| - to: |
| - operation: |
| paths: ["/source-principal-notValues-{{ .b }}"] |
| when: |
| - key: source.principal |
| notValues: ["cluster.local/ns/{{ .NamespaceB }}/sa/{{ .b }}"] |
| --- |
| |
| apiVersion: security.istio.io/v1beta1 |
| kind: AuthorizationPolicy |
| metadata: |
| name: condition-destination-ip |
| namespace: "{{ .NamespaceC }}" |
| spec: |
| selector: |
| matchLabels: |
| app: {{ .cSet }} |
| rules: |
| - to: |
| - operation: |
| paths: ["/destination-ip-good"] |
| when: |
| - key: destination.ip |
| values: {{ toJson .ipC }} |
| - to: |
| - operation: |
| paths: ["/destination-ip-bad"] |
| when: |
| - key: destination.ip |
| values: ["1.2.3.4"] |
| --- |
| |
| apiVersion: security.istio.io/v1beta1 |
| kind: AuthorizationPolicy |
| metadata: |
| name: condition-destination-ip-notvalues |
| namespace: "{{ .NamespaceC }}" |
| spec: |
| selector: |
| matchLabels: |
| app: {{ .cSet }} |
| rules: |
| - to: |
| - operation: |
| paths: ["/destination-ip-notValues-{{ .a }}-or-{{ .b }}"] |
| when: |
| - key: destination.ip |
| notValues: {{ concat .ipA .ipB | toJson }} |
| - to: |
| - operation: |
| paths: ["/destination-ip-notValues-{{ .a }}-or-{{ .b }}-or-{{ .cSet }}"] |
| when: |
| - key: destination.ip |
| notValues: {{ concat .ipA .ipB .ipC | toJson }} |
| --- |
| |
| apiVersion: security.istio.io/v1beta1 |
| kind: AuthorizationPolicy |
| metadata: |
| name: condition-destination-port |
| namespace: "{{ .NamespaceC }}" |
| spec: |
| selector: |
| matchLabels: |
| app: {{ .cSet }} |
| rules: |
| - to: |
| - operation: |
| paths: ["/destination-port-good"] |
| when: |
| - key: destination.port |
| values: ["{{ .portC }}"] |
| - to: |
| - operation: |
| paths: ["/destination-port-bad"] |
| when: |
| - key: destination.port |
| values: ["1"] |
| --- |
| |
| apiVersion: security.istio.io/v1beta1 |
| kind: AuthorizationPolicy |
| metadata: |
| name: condition-destination-port-notvalues |
| namespace: "{{ .NamespaceC }}" |
| spec: |
| selector: |
| matchLabels: |
| app: {{ .cSet }} |
| rules: |
| - to: |
| - operation: |
| paths: ["/destination-port-notValues-{{ .cSet }}"] |
| when: |
| - key: destination.port |
| notValues: ["{{ .portC }}"] |
| --- |
| |
| apiVersion: security.istio.io/v1beta1 |
| kind: AuthorizationPolicy |
| metadata: |
| name: condition-connection-sni |
| namespace: "{{ .NamespaceC }}" |
| spec: |
| selector: |
| matchLabels: |
| app: {{ .cSet }} |
| rules: |
| - to: |
| - operation: |
| paths: ["/connection-sni-good"] |
| when: |
| - key: connection.sni |
| values: ["*.{{ .cSet }}.{{ .NamespaceC }}.svc.cluster.local"] |
| - to: |
| - operation: |
| paths: ["/connection-sni-bad"] |
| when: |
| - key: connection.sni |
| values: ["never-matched"] |
| --- |
| |
| apiVersion: security.istio.io/v1beta1 |
| kind: AuthorizationPolicy |
| metadata: |
| name: condition-connection-sni-notvalues |
| namespace: "{{ .NamespaceC }}" |
| spec: |
| selector: |
| matchLabels: |
| app: {{ .cSet }} |
| rules: |
| - to: |
| - operation: |
| paths: ["/connection-sni-notValues-{{ .a }}-or-{{ .b }}"] |
| when: |
| - key: connection.sni |
| notValues: ["*.{{ .a }}.{{ .NamespaceA }}.svc.cluster.local", "*.{{ .b }}.{{ .NamespaceB }}.svc.cluster.local"] |
| - to: |
| - operation: |
| paths: ["/connection-sni-notValues-{{ .a }}-or-{{ .b }}-or-{{ .cSet }}"] |
| when: |
| - key: connection.sni |
| notValues: ["*.{{ .a }}.{{ .NamespaceA }}.svc.cluster.local", "*.{{ .b }}.{{ .NamespaceB }}.svc.cluster.local", "*.{{ .cSet }}.{{ .NamespaceC }}.svc.cluster.local"] |
| --- |