tests/integration/security/testdata/authz/v1beta1-deny.yaml.tmpl - dubbo-go-pixiu - Git at Google

 # The following policy denies access to path /deny to workload b.

 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: policy-{{ .b }}-deny
   namespace: "{{ .Namespace }}"
 spec:
   selector:
     matchLabels:
       "app": "{{ .b }}"
   action: DENY
   rules:
   - to:
     - operation:
         paths: ["/deny"]
 ---

 # The following policy denies access to path /allow/admin to workload c.

 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: policy-{{ .c }}-deny
   namespace: "{{ .Namespace }}"
 spec:
   selector:
     matchLabels:
       "app": "{{ .c }}"
   action: DENY
   rules:
   - to:
     - operation:
         paths: ["/allow/admin"]
 ---

 # The following policy allows access to path with prefix "/allow" to workload c.

 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: policy-{{ .c }}-allow
   namespace: "{{ .Namespace }}"
 spec:
   selector:
     matchLabels:
       "app": "{{ .c }}"
   action: ALLOW
   rules:
   - to:
     - operation:
         paths: ["/allow*"]
 ---

 # The following policy denies access to path /allow/admin to workload vm.
 # (TODO)JimmyCYJ: the following two policies are duplicates of existing ones above
 # and can be removed once the test framework supports multiple vm workloads.
 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: policy-vm-deny
   namespace: "{{ .Namespace }}"
 spec:
   selector:
     matchLabels:
       "app": "{{ .vm }}"
   action: DENY
   rules:
   - to:
     - operation:
         paths: ["/allow/admin"]
 ---

 # The following policy allows access to path with prefix "/allow" to workload vm.

 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: policy-vm-allow
   namespace: "{{ .Namespace }}"
 spec:
   selector:
     matchLabels:
       "app": "{{ .vm }}"
   action: ALLOW
   rules:
   - to:
     - operation:
         paths: ["/allow*"]
 ---
	# The following policy denies access to path /deny to workload b.

	apiVersion: security.istio.io/v1beta1
	kind: AuthorizationPolicy
	metadata:
	name: policy-{{ .b }}-deny
	namespace: "{{ .Namespace }}"
	spec:
	selector:
	matchLabels:
	"app": "{{ .b }}"
	action: DENY
	rules:
	- to:
	- operation:
	paths: ["/deny"]
	---

	# The following policy denies access to path /allow/admin to workload c.

	apiVersion: security.istio.io/v1beta1
	kind: AuthorizationPolicy
	metadata:
	name: policy-{{ .c }}-deny
	namespace: "{{ .Namespace }}"
	spec:
	selector:
	matchLabels:
	"app": "{{ .c }}"
	action: DENY
	rules:
	- to:
	- operation:
	paths: ["/allow/admin"]
	---

	# The following policy allows access to path with prefix "/allow" to workload c.

	apiVersion: security.istio.io/v1beta1
	kind: AuthorizationPolicy
	metadata:
	name: policy-{{ .c }}-allow
	namespace: "{{ .Namespace }}"
	spec:
	selector:
	matchLabels:
	"app": "{{ .c }}"
	action: ALLOW
	rules:
	- to:
	- operation:
	paths: ["/allow*"]
	---

	# The following policy denies access to path /allow/admin to workload vm.
	# (TODO)JimmyCYJ: the following two policies are duplicates of existing ones above
	# and can be removed once the test framework supports multiple vm workloads.
	apiVersion: security.istio.io/v1beta1
	kind: AuthorizationPolicy
	metadata:
	name: policy-vm-deny
	namespace: "{{ .Namespace }}"
	spec:
	selector:
	matchLabels:
	"app": "{{ .vm }}"
	action: DENY
	rules:
	- to:
	- operation:
	paths: ["/allow/admin"]
	---

	# The following policy allows access to path with prefix "/allow" to workload vm.

	apiVersion: security.istio.io/v1beta1
	kind: AuthorizationPolicy
	metadata:
	name: policy-vm-allow
	namespace: "{{ .Namespace }}"
	spec:
	selector:
	matchLabels:
	"app": "{{ .vm }}"
	action: ALLOW
	rules:
	- to:
	- operation:
	paths: ["/allow*"]
	---