| # The following policy denies access to path /deny to workload b. |
| |
| apiVersion: security.istio.io/v1beta1 |
| kind: AuthorizationPolicy |
| metadata: |
| name: policy-{{ .b }}-deny |
| namespace: "{{ .Namespace }}" |
| spec: |
| selector: |
| matchLabels: |
| "app": "{{ .b }}" |
| action: DENY |
| rules: |
| - to: |
| - operation: |
| paths: ["/deny"] |
| --- |
| |
| # The following policy denies access to path /allow/admin to workload c. |
| |
| apiVersion: security.istio.io/v1beta1 |
| kind: AuthorizationPolicy |
| metadata: |
| name: policy-{{ .c }}-deny |
| namespace: "{{ .Namespace }}" |
| spec: |
| selector: |
| matchLabels: |
| "app": "{{ .c }}" |
| action: DENY |
| rules: |
| - to: |
| - operation: |
| paths: ["/allow/admin"] |
| --- |
| |
| # The following policy allows access to path with prefix "/allow" to workload c. |
| |
| apiVersion: security.istio.io/v1beta1 |
| kind: AuthorizationPolicy |
| metadata: |
| name: policy-{{ .c }}-allow |
| namespace: "{{ .Namespace }}" |
| spec: |
| selector: |
| matchLabels: |
| "app": "{{ .c }}" |
| action: ALLOW |
| rules: |
| - to: |
| - operation: |
| paths: ["/allow*"] |
| --- |
| |
| # The following policy denies access to path /allow/admin to workload vm. |
| # (TODO)JimmyCYJ: the following two policies are duplicates of existing ones above |
| # and can be removed once the test framework supports multiple vm workloads. |
| apiVersion: security.istio.io/v1beta1 |
| kind: AuthorizationPolicy |
| metadata: |
| name: policy-vm-deny |
| namespace: "{{ .Namespace }}" |
| spec: |
| selector: |
| matchLabels: |
| "app": "{{ .vm }}" |
| action: DENY |
| rules: |
| - to: |
| - operation: |
| paths: ["/allow/admin"] |
| --- |
| |
| # The following policy allows access to path with prefix "/allow" to workload vm. |
| |
| apiVersion: security.istio.io/v1beta1 |
| kind: AuthorizationPolicy |
| metadata: |
| name: policy-vm-allow |
| namespace: "{{ .Namespace }}" |
| spec: |
| selector: |
| matchLabels: |
| "app": "{{ .vm }}" |
| action: ALLOW |
| rules: |
| - to: |
| - operation: |
| paths: ["/allow*"] |
| --- |