tests/integration/security/testdata/authz/v1beta1-grpc.yaml.tmpl - dubbo-go-pixiu - Git at Google

 # The following policy enables mTLS for server side workload.

 apiVersion: security.istio.io/v1beta1
 kind: PeerAuthentication
 metadata:
   name: mtls
   namespace: "{{ .Namespace }}"
 spec:
   selector:
     matchLabels:
       app: {{ .a }}
   mtls:
     mode: STRICT
 ---
 apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
   name: mtls
   namespace: {{ .Namespace }}
 spec:
   host: "{{ .a }}.{{ .Namespace }}.svc.cluster.local"
   trafficPolicy:
     tls:
       mode: ISTIO_MUTUAL
 ---

 # For workload a:
 # * Allow src0 to call dst's Echo method.
 # * Disallow src1 to talk to dst since GET, DELETE, and PUT are not supported in gRPC.
 # * Allow src2 to call any methods of dst.

 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: authz-grpc
   namespace: "{{ .Namespace }}"
 spec:
   selector:
     matchLabels:
       "app": "{{ .a }}"
   rules:
   - to:
     - operation:
         paths: ["/proto.EchoTestService/Echo"]
         methods: ["POST"]
     from:
     - source:
         principals: ["cluster.local/ns/{{ .Namespace }}/sa/{{ .b }}"]
   - to:
     - operation:
         paths: ["/proto.EchoTestService/Echo"]
         # Since gRPC only allows POST, this will be denied (even though paths should be allowed).
         methods: ["GET", "DELETE", "PUT"]
     from:
     - source:
         principals: ["cluster.local/ns/{{ .Namespace }}/sa/{{ .c }}"]
   - from:
     - source:
         principals: ["cluster.local/ns/{{ .Namespace }}/sa/{{ .d }}"]
 ---
	# The following policy enables mTLS for server side workload.

	apiVersion: security.istio.io/v1beta1
	kind: PeerAuthentication
	metadata:
	name: mtls
	namespace: "{{ .Namespace }}"
	spec:
	selector:
	matchLabels:
	app: {{ .a }}
	mtls:
	mode: STRICT
	---
	apiVersion: networking.istio.io/v1alpha3
	kind: DestinationRule
	metadata:
	name: mtls
	namespace: {{ .Namespace }}
	spec:
	host: "{{ .a }}.{{ .Namespace }}.svc.cluster.local"
	trafficPolicy:
	tls:
	mode: ISTIO_MUTUAL
	---

	# For workload a:
	# * Allow src0 to call dst's Echo method.
	# * Disallow src1 to talk to dst since GET, DELETE, and PUT are not supported in gRPC.
	# * Allow src2 to call any methods of dst.

	apiVersion: security.istio.io/v1beta1
	kind: AuthorizationPolicy
	metadata:
	name: authz-grpc
	namespace: "{{ .Namespace }}"
	spec:
	selector:
	matchLabels:
	"app": "{{ .a }}"
	rules:
	- to:
	- operation:
	paths: ["/proto.EchoTestService/Echo"]
	methods: ["POST"]
	from:
	- source:
	principals: ["cluster.local/ns/{{ .Namespace }}/sa/{{ .b }}"]
	- to:
	- operation:
	paths: ["/proto.EchoTestService/Echo"]
	# Since gRPC only allows POST, this will be denied (even though paths should be allowed).
	methods: ["GET", "DELETE", "PUT"]
	from:
	- source:
	principals: ["cluster.local/ns/{{ .Namespace }}/sa/{{ .c }}"]
	- from:
	- source:
	principals: ["cluster.local/ns/{{ .Namespace }}/sa/{{ .d }}"]
	---