tests/integration/security/testdata/authz/v1beta1-ingress-gateway.yaml.tmpl - dubbo-go-pixiu - Git at Google

 # The following policy denies access to "internal.company.com" and path "/private",
 # denies access from 172.17.72.46 or 192.168.4.0/23 to "remoteipblocks.company.com",
 # denies access from anything but 172.23.240.0/22 to "notremoteipblocks.company.com",
 # and denies access to "remoteipattr.company.com" when the remote ip is 10.242.5.7 or
 # in the network 10.124.99.0/24.

 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: deny-policy
   namespace: "{{ .RootNamespace }}"
 spec:
   action: DENY
   selector:
     matchLabels:
       app: istio-ingressgateway
   rules:
     - to:
         - operation:
             hosts: ["deny.company.com", "*.suffix.company.com", "prefix.company.*"]
     - to:
         - operation:
             hosts: ["internal.company.com"]
         - operation:
             paths: ["/private"]
     - from:
         - source:
             remoteIpBlocks: ["172.17.72.46", "192.168.4.0/23"]
       to:
         - operation:
             hosts: ["remoteipblocks.company.com"]
     - from:
         - source:
             notRemoteIpBlocks: ["172.23.240.0/22"]
       to:
         - operation:
             hosts: ["notremoteipblocks.company.com"]
     - to:
         - operation:
             hosts: ["remoteipattr.company.com"]
       when:
         - key: remote.ip
           values: ["10.242.5.7", "10.124.99.0/24"]
     - from:
         - source:
             ipBlocks: ["172.19.19.19"]
       to:
         - operation:
             hosts: ["ipblocks.company.com"]
     - from:
         - source:
             notIpBlocks: ["172.19.19.20"]
       to:
         - operation:
             hosts: ["notipblocks.company.com"]
 ---

 # The following gateway allows request to "*.company.com"

 apiVersion: networking.istio.io/v1alpha3
 kind: Gateway
 metadata:
   name: test-ingress
   namespace: {{ .Namespace }}
 spec:
   selector:
     istio: ingressgateway # use istio default ingress gateway
   servers:
     - port:
         number: 80
         name: http
         protocol: HTTP
       hosts:
         - "*.company.com"
 ---

 # The following virtual service routes requests to workload

 apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
   name: test-vs
   namespace: {{ .Namespace }}
 spec:
   hosts:
   - "*.company.com"
   gateways:
   - test-ingress
   http:
   - route:
     - destination:
         host: {{ .dst }}
         port:
           number: 8095
	# The following policy denies access to "internal.company.com" and path "/private",
	# denies access from 172.17.72.46 or 192.168.4.0/23 to "remoteipblocks.company.com",
	# denies access from anything but 172.23.240.0/22 to "notremoteipblocks.company.com",
	# and denies access to "remoteipattr.company.com" when the remote ip is 10.242.5.7 or
	# in the network 10.124.99.0/24.

	apiVersion: security.istio.io/v1beta1
	kind: AuthorizationPolicy
	metadata:
	name: deny-policy
	namespace: "{{ .RootNamespace }}"
	spec:
	action: DENY
	selector:
	matchLabels:
	app: istio-ingressgateway
	rules:
	- to:
	- operation:
	hosts: ["deny.company.com", ".suffix.company.com", "prefix.company."]
	- to:
	- operation:
	hosts: ["internal.company.com"]
	- operation:
	paths: ["/private"]
	- from:
	- source:
	remoteIpBlocks: ["172.17.72.46", "192.168.4.0/23"]
	to:
	- operation:
	hosts: ["remoteipblocks.company.com"]
	- from:
	- source:
	notRemoteIpBlocks: ["172.23.240.0/22"]
	to:
	- operation:
	hosts: ["notremoteipblocks.company.com"]
	- to:
	- operation:
	hosts: ["remoteipattr.company.com"]
	when:
	- key: remote.ip
	values: ["10.242.5.7", "10.124.99.0/24"]
	- from:
	- source:
	ipBlocks: ["172.19.19.19"]
	to:
	- operation:
	hosts: ["ipblocks.company.com"]
	- from:
	- source:
	notIpBlocks: ["172.19.19.20"]
	to:
	- operation:
	hosts: ["notipblocks.company.com"]
	---

	# The following gateway allows request to "*.company.com"

	apiVersion: networking.istio.io/v1alpha3
	kind: Gateway
	metadata:
	name: test-ingress
	namespace: {{ .Namespace }}
	spec:
	selector:
	istio: ingressgateway # use istio default ingress gateway
	servers:
	- port:
	number: 80
	name: http
	protocol: HTTP
	hosts:
	- "*.company.com"
	---

	# The following virtual service routes requests to workload

	apiVersion: networking.istio.io/v1alpha3
	kind: VirtualService
	metadata:
	name: test-vs
	namespace: {{ .Namespace }}
	spec:
	hosts:
	- "*.company.com"
	gateways:
	- test-ingress
	http:
	- route:
	- destination:
	host: {{ .dst }}
	port:
	number: 8095