blob: c3c4d06cc04c95047497d14f46a5bd83426ceffb [file] [log] [blame]
# The following policy denies access to "internal.company.com" and path "/private",
# denies access from 172.17.72.46 or 192.168.4.0/23 to "remoteipblocks.company.com",
# denies access from anything but 172.23.240.0/22 to "notremoteipblocks.company.com",
# and denies access to "remoteipattr.company.com" when the remote ip is 10.242.5.7 or
# in the network 10.124.99.0/24.
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: deny-policy
namespace: "{{ .RootNamespace }}"
spec:
action: DENY
selector:
matchLabels:
app: istio-ingressgateway
rules:
- to:
- operation:
hosts: ["deny.company.com", "*.suffix.company.com", "prefix.company.*"]
- to:
- operation:
hosts: ["internal.company.com"]
- operation:
paths: ["/private"]
- from:
- source:
remoteIpBlocks: ["172.17.72.46", "192.168.4.0/23"]
to:
- operation:
hosts: ["remoteipblocks.company.com"]
- from:
- source:
notRemoteIpBlocks: ["172.23.240.0/22"]
to:
- operation:
hosts: ["notremoteipblocks.company.com"]
- to:
- operation:
hosts: ["remoteipattr.company.com"]
when:
- key: remote.ip
values: ["10.242.5.7", "10.124.99.0/24"]
- from:
- source:
ipBlocks: ["172.19.19.19"]
to:
- operation:
hosts: ["ipblocks.company.com"]
- from:
- source:
notIpBlocks: ["172.19.19.20"]
to:
- operation:
hosts: ["notipblocks.company.com"]
---
# The following gateway allows request to "*.company.com"
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: test-ingress
namespace: {{ .Namespace }}
spec:
selector:
istio: ingressgateway # use istio default ingress gateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*.company.com"
---
# The following virtual service routes requests to workload
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: test-vs
namespace: {{ .Namespace }}
spec:
hosts:
- "*.company.com"
gateways:
- test-ingress
http:
- route:
- destination:
host: {{ .dst }}
port:
number: 8095