| # The following policy denies access to "internal.company.com" and path "/private", |
| # denies access from 172.17.72.46 or 192.168.4.0/23 to "remoteipblocks.company.com", |
| # denies access from anything but 172.23.240.0/22 to "notremoteipblocks.company.com", |
| # and denies access to "remoteipattr.company.com" when the remote ip is 10.242.5.7 or |
| # in the network 10.124.99.0/24. |
| |
| apiVersion: security.istio.io/v1beta1 |
| kind: AuthorizationPolicy |
| metadata: |
| name: deny-policy |
| namespace: "{{ .RootNamespace }}" |
| spec: |
| action: DENY |
| selector: |
| matchLabels: |
| app: istio-ingressgateway |
| rules: |
| - to: |
| - operation: |
| hosts: ["deny.company.com", "*.suffix.company.com", "prefix.company.*"] |
| - to: |
| - operation: |
| hosts: ["internal.company.com"] |
| - operation: |
| paths: ["/private"] |
| - from: |
| - source: |
| remoteIpBlocks: ["172.17.72.46", "192.168.4.0/23"] |
| to: |
| - operation: |
| hosts: ["remoteipblocks.company.com"] |
| - from: |
| - source: |
| notRemoteIpBlocks: ["172.23.240.0/22"] |
| to: |
| - operation: |
| hosts: ["notremoteipblocks.company.com"] |
| - to: |
| - operation: |
| hosts: ["remoteipattr.company.com"] |
| when: |
| - key: remote.ip |
| values: ["10.242.5.7", "10.124.99.0/24"] |
| - from: |
| - source: |
| ipBlocks: ["172.19.19.19"] |
| to: |
| - operation: |
| hosts: ["ipblocks.company.com"] |
| - from: |
| - source: |
| notIpBlocks: ["172.19.19.20"] |
| to: |
| - operation: |
| hosts: ["notipblocks.company.com"] |
| --- |
| |
| # The following gateway allows request to "*.company.com" |
| |
| apiVersion: networking.istio.io/v1alpha3 |
| kind: Gateway |
| metadata: |
| name: test-ingress |
| namespace: {{ .Namespace }} |
| spec: |
| selector: |
| istio: ingressgateway # use istio default ingress gateway |
| servers: |
| - port: |
| number: 80 |
| name: http |
| protocol: HTTP |
| hosts: |
| - "*.company.com" |
| --- |
| |
| # The following virtual service routes requests to workload |
| |
| apiVersion: networking.istio.io/v1alpha3 |
| kind: VirtualService |
| metadata: |
| name: test-vs |
| namespace: {{ .Namespace }} |
| spec: |
| hosts: |
| - "*.company.com" |
| gateways: |
| - test-ingress |
| http: |
| - route: |
| - destination: |
| host: {{ .dst }} |
| port: |
| number: 8095 |