| # Enforce access control based on JWT subject. |
| |
| # The following policy enables JWT authentication on destination service. |
| |
| apiVersion: security.istio.io/v1beta1 |
| kind: RequestAuthentication |
| metadata: |
| name: default |
| namespace: {{ .Namespace }} |
| spec: |
| jwtRules: |
| - issuer: "test-issuer-1@istio.io" |
| jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json" |
| - issuer: "test-issuer-2@istio.io" |
| jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json" |
| --- |
| |
| # The following policy enables authorization on workload: |
| # - Allow request principal test-issuer-1@istio.io/sub-1 to access path /token1 |
| # - Allow request in group-2 to access path /token2 |
| # - Allow request with any token to access path /tokenAny |
| # - Allow request with permission claim of "write" to access path /permission |
| # - Allow request with valid JWT token to access path /jwt1 |
| # - Allow request with valid JWT token of presenter foo to access path with suffix "/presenter" |
| # - Allow request with valid JWT token of audiences bar to access path with suffix "/audiences" |
| # - Deny request with JWT token from test-issuer-1@istio.io to access path with suffix "/token3" and "GET" method |
| |
| apiVersion: security.istio.io/v1beta1 |
| kind: AuthorizationPolicy |
| metadata: |
| name: policy-{{ .dst }} |
| namespace: "{{ .Namespace }}" |
| spec: |
| selector: |
| matchLabels: |
| "app": "{{ .dst }}" |
| rules: |
| - to: |
| - operation: |
| paths: ["/token1"] |
| methods: ["GET"] |
| from: |
| - source: |
| requestPrincipals: ["test-issuer-1@istio.io/sub-1"] |
| - to: |
| - operation: |
| paths: ["/token2"] |
| methods: ["GET"] |
| when: |
| - key: request.auth.claims[groups] |
| values: ["group-2"] |
| - to: |
| - operation: |
| paths: ["/tokenAny"] |
| methods: ["GET"] |
| from: |
| - source: |
| requestPrincipals: ["*"] |
| - to: |
| - operation: |
| paths: ["/permission"] |
| methods: ["GET"] |
| when: |
| - key: request.auth.claims[permission] |
| values: ["write"] |
| - to: |
| - operation: |
| paths: ["/nested-key1"] |
| methods: ["GET"] |
| when: |
| - key: request.auth.claims[nested][key1] |
| values: ["valueB"] |
| - to: |
| - operation: |
| paths: ["/nested-non-exist"] |
| methods: ["GET"] |
| when: |
| - key: request.auth.claims[nested][non-exist] |
| values: ["valueC"] |
| - to: |
| - operation: |
| paths: ["/nested-key2"] |
| methods: ["GET"] |
| when: |
| - key: request.auth.claims[nested][key2] |
| values: ["valueC"] |
| - to: |
| - operation: |
| paths: ["/nested-2-key1"] |
| methods: ["GET"] |
| when: |
| - key: request.auth.claims[nested][nested-2][key1] |
| values: ["valueA"] |
| - to: |
| - operation: |
| paths: ["/valid-jwt"] |
| when: |
| - key: request.auth.principal |
| values: ["*"] |
| - to: |
| - operation: |
| paths: ["*/presenter"] |
| when: |
| - key: request.auth.presenter |
| values: ["bar"] |
| - to: |
| - operation: |
| paths: ["*/audiences"] |
| when: |
| - key: request.auth.audiences |
| values: ["foo"] |
| - to: |
| - operation: |
| paths: ["/token3"] |
| methods: ["GET"] |
| from: |
| - source: |
| notRequestPrincipals: ["test-issuer-1@istio.io/sub-1"] |
| --- |