| # The following policy applies the CUSTOM action with the ext-authz-http provider on workload b for path /custom. |
| |
| apiVersion: security.istio.io/v1beta1 |
| kind: AuthorizationPolicy |
| metadata: |
| name: policy-b |
| namespace: "{{ .Namespace }}" |
| spec: |
| selector: |
| matchLabels: |
| "app": "b" |
| action: CUSTOM |
| provider: |
| name: ext-authz-http |
| rules: |
| - to: |
| - operation: |
| paths: ["/custom"] |
| --- |
| |
| # The following policy applies the CUSTOM action with the ext-authz-grpc provider on workload c for path /custom. |
| |
| apiVersion: security.istio.io/v1beta1 |
| kind: AuthorizationPolicy |
| metadata: |
| name: policy-c |
| namespace: "{{ .Namespace }}" |
| spec: |
| selector: |
| matchLabels: |
| "app": "c" |
| action: CUSTOM |
| provider: |
| name: ext-authz-grpc |
| rules: |
| - to: |
| - operation: |
| paths: ["/custom"] |
| --- |
| |
| # The following policy applies the CUSTOM action with the ext-authz-http-local provider on workload d for path /custom. |
| |
| apiVersion: security.istio.io/v1beta1 |
| kind: AuthorizationPolicy |
| metadata: |
| name: policy-d |
| namespace: "{{ .Namespace }}" |
| spec: |
| selector: |
| matchLabels: |
| "app": "d" |
| action: CUSTOM |
| provider: |
| name: ext-authz-http-local |
| rules: |
| - to: |
| - operation: |
| paths: ["/custom"] |
| --- |
| |
| # The following policy applies the CUSTOM action with the ext-authz-grpc-local provider on workload e for path /custom. |
| |
| apiVersion: security.istio.io/v1beta1 |
| kind: AuthorizationPolicy |
| metadata: |
| name: policy-e |
| namespace: "{{ .Namespace }}" |
| spec: |
| selector: |
| matchLabels: |
| "app": "e" |
| action: CUSTOM |
| provider: |
| name: ext-authz-grpc-local |
| rules: |
| - to: |
| - operation: |
| paths: ["/custom"] |
| --- |
| |
| # The following policy applies the CUSTOM action with the ext-authz-tcp provider on workload f for port 8092. |
| |
| apiVersion: security.istio.io/v1beta1 |
| kind: AuthorizationPolicy |
| metadata: |
| name: policy-f-tcp |
| namespace: "{{ .Namespace }}" |
| spec: |
| selector: |
| matchLabels: |
| "app": "f" |
| action: CUSTOM |
| provider: |
| name: ext-authz-grpc |
| rules: |
| - to: |
| - operation: |
| ports: ["8092"] |
| |
| --- |
| |
| # The following policy applies the CUSTOM action with the ext-authz-http provider on ingress gateway for path /custom. |
| |
| apiVersion: security.istio.io/v1beta1 |
| kind: AuthorizationPolicy |
| metadata: |
| name: policy-ingress-http |
| namespace: "{{ .RootNamespace }}" |
| spec: |
| selector: |
| matchLabels: |
| "app": "istio-ingressgateway" |
| action: CUSTOM |
| provider: |
| name: ext-authz-http |
| rules: |
| - to: |
| - operation: |
| paths: ["/custom"] |
| --- |
| |
| # Define the service entry for the local ext-authz service on port 8000. |
| apiVersion: networking.istio.io/v1alpha3 |
| kind: ServiceEntry |
| metadata: |
| name: httpbin-ext-authz-http |
| namespace: "{{ .Namespace }}" |
| spec: |
| hosts: |
| - "ext-authz-http.local" |
| endpoints: |
| - address: "127.0.0.1" |
| ports: |
| - name: http |
| number: 8000 |
| protocol: HTTP |
| resolution: STATIC |
| --- |
| |
| # Define the service entry for the local ext-authz service on port 9000. |
| apiVersion: networking.istio.io/v1alpha3 |
| kind: ServiceEntry |
| metadata: |
| name: httpbin-ext-authz-grpc |
| namespace: "{{ .Namespace }}" |
| spec: |
| hosts: |
| - "ext-authz-grpc.local" |
| endpoints: |
| - address: "127.0.0.1" |
| ports: |
| - name: grpc |
| number: 9000 |
| protocol: GRPC |
| resolution: STATIC |
| --- |
| |
| # The following gateway allows request to "*.company.com" |
| |
| apiVersion: networking.istio.io/v1alpha3 |
| kind: Gateway |
| metadata: |
| name: test-ingress |
| namespace: {{ .Namespace }} |
| spec: |
| selector: |
| istio: ingressgateway # use istio default ingress gateway |
| servers: |
| - port: |
| number: 80 |
| name: http |
| protocol: HTTP |
| hosts: |
| - "*.company.com" |
| --- |
| |
| # The following virtual service routes requests to workload x |
| |
| apiVersion: networking.istio.io/v1alpha3 |
| kind: VirtualService |
| metadata: |
| name: test-vs |
| namespace: {{ .Namespace }} |
| spec: |
| hosts: |
| - "*.company.com" |
| gateways: |
| - test-ingress |
| http: |
| - route: |
| - destination: |
| host: x |
| port: |
| number: 80 |