blob: e571d514954fffdbd7965a50fb4fa4a4b803e932 [file] [log] [blame]
# Enforce access control based on JWT subject.
# The following policy enables JWT authentication on destination service.
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: default
namespace: {{ .Namespace }}
spec:
jwtRules:
- issuer: "test-issuer-1@istio.io"
jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
- issuer: "test-issuer-2@istio.io"
jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
---
# The following policy enables authorization on workload:
# - Allow request principal test-issuer-1@istio.io/sub-1 to access path /token1
# - Allow request in group-2 to access path /token2
# - Allow request with any token to access path /tokenAny
# - Allow request with permission claim of "write" to access path /permission
# - Allow request with valid JWT token to access path /jwt1
# - Allow request with valid JWT token of presenter foo to access path with suffix "/presenter"
# - Allow request with valid JWT token of audiences bar to access path with suffix "/audiences"
# - Deny request with JWT token from test-issuer-1@istio.io to access path with suffix "/token3" and "GET" method
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: policy-{{ .dst }}
namespace: "{{ .Namespace }}"
spec:
selector:
matchLabels:
"app": "{{ .dst }}"
rules:
- to:
- operation:
paths: ["/token1"]
methods: ["GET"]
from:
- source:
requestPrincipals: ["test-issuer-1@istio.io/sub-1"]
- to:
- operation:
paths: ["/token2"]
methods: ["GET"]
when:
- key: request.auth.claims[groups]
values: ["group-2"]
- to:
- operation:
paths: ["/tokenAny"]
methods: ["GET"]
from:
- source:
requestPrincipals: ["*"]
- to:
- operation:
paths: ["/permission"]
methods: ["GET"]
when:
- key: request.auth.claims[permission]
values: ["write"]
- to:
- operation:
paths: ["/nested-key1"]
methods: ["GET"]
when:
- key: request.auth.claims[nested][key1]
values: ["valueB"]
- to:
- operation:
paths: ["/nested-non-exist"]
methods: ["GET"]
when:
- key: request.auth.claims[nested][non-exist]
values: ["valueC"]
- to:
- operation:
paths: ["/nested-key2"]
methods: ["GET"]
when:
- key: request.auth.claims[nested][key2]
values: ["valueC"]
- to:
- operation:
paths: ["/nested-2-key1"]
methods: ["GET"]
when:
- key: request.auth.claims[nested][nested-2][key1]
values: ["valueA"]
- to:
- operation:
paths: ["/valid-jwt"]
when:
- key: request.auth.principal
values: ["*"]
- to:
- operation:
paths: ["*/presenter"]
when:
- key: request.auth.presenter
values: ["bar"]
- to:
- operation:
paths: ["*/audiences"]
when:
- key: request.auth.audiences
values: ["foo"]
- to:
- operation:
paths: ["/token3"]
methods: ["GET"]
from:
- source:
notRequestPrincipals: ["test-issuer-1@istio.io/sub-1"]
---