| # The following policy enables mTLS for server side workload. |
| |
| apiVersion: security.istio.io/v1beta1 |
| kind: PeerAuthentication |
| metadata: |
| name: mtls |
| namespace: "{{ .Namespace }}" |
| spec: |
| selector: |
| matchLabels: |
| app: {{ .a }} |
| mtls: |
| mode: STRICT |
| --- |
| apiVersion: networking.istio.io/v1alpha3 |
| kind: DestinationRule |
| metadata: |
| name: mtls |
| namespace: {{ .Namespace }} |
| spec: |
| host: "{{ .a }}.{{ .Namespace }}.svc.cluster.local" |
| trafficPolicy: |
| tls: |
| mode: ISTIO_MUTUAL |
| --- |
| |
| # For workload a: |
| # * Allow src0 to call dst's Echo method. |
| # * Disallow src1 to talk to dst since GET, DELETE, and PUT are not supported in gRPC. |
| # * Allow src2 to call any methods of dst. |
| |
| apiVersion: security.istio.io/v1beta1 |
| kind: AuthorizationPolicy |
| metadata: |
| name: authz-grpc |
| namespace: "{{ .Namespace }}" |
| spec: |
| selector: |
| matchLabels: |
| "app": "{{ .a }}" |
| rules: |
| - to: |
| - operation: |
| paths: ["/proto.EchoTestService/Echo"] |
| methods: ["POST"] |
| from: |
| - source: |
| principals: ["cluster.local/ns/{{ .Namespace }}/sa/{{ .b }}"] |
| - to: |
| - operation: |
| paths: ["/proto.EchoTestService/Echo"] |
| # Since gRPC only allows POST, this will be denied (even though paths should be allowed). |
| methods: ["GET", "DELETE", "PUT"] |
| from: |
| - source: |
| principals: ["cluster.local/ns/{{ .Namespace }}/sa/{{ .c }}"] |
| - from: |
| - source: |
| principals: ["cluster.local/ns/{{ .Namespace }}/sa/{{ .d }}"] |
| --- |