| # The following policy denies access to path with prefix "/prefix" except "/prefix/allowlist" to workload b. |
| |
| apiVersion: security.istio.io/v1beta1 |
| kind: AuthorizationPolicy |
| metadata: |
| name: policy-{{ .b }}-deny |
| namespace: "{{ .Namespace }}" |
| spec: |
| selector: |
| matchLabels: |
| "app": "{{ .b }}" |
| action: DENY |
| rules: |
| - to: |
| - operation: |
| paths: ["/prefix*"] |
| notPaths: ["/prefix/allowlist"] |
| --- |
| # The following policy will deny all the requests to GET method |
| |
| apiVersion: security.istio.io/v1beta1 |
| kind: AuthorizationPolicy |
| metadata: |
| name: policy-{{ .b }}-allow |
| namespace: "{{ .Namespace }}" |
| spec: |
| selector: |
| matchLabels: |
| "app": "{{ .b }}" |
| action: ALLOW |
| rules: |
| - to: |
| - operation: |
| notMethods : ["PUT"] |
| --- |
| # The following policy denies access from other namespaces. |
| |
| apiVersion: security.istio.io/v1beta1 |
| kind: AuthorizationPolicy |
| metadata: |
| name: policy-{{ .c }}-same-namespace |
| namespace: "{{ .Namespace }}" |
| spec: |
| selector: |
| matchLabels: |
| "app": "{{ .c }}" |
| action: DENY |
| rules: |
| - from: |
| - source: |
| notNamespaces: ["{{ .Namespace }}"] |
| --- |
| # The following policy allows request if the host is not "deny.com" |
| |
| apiVersion: security.istio.io/v1beta1 |
| kind: AuthorizationPolicy |
| metadata: |
| name: policy-{{ .c }}-allow |
| namespace: "{{ .Namespace }}" |
| spec: |
| selector: |
| matchLabels: |
| "app": "{{ .c }}" |
| action: ALLOW |
| rules: |
| - to: |
| - operation: |
| notHosts: ["deny.com"] |
| --- |
| |
| # The following policy denies access to a workload d if it's not mTLS, in other words, it allows only mTLS traffic to access the workload d. |
| |
| apiVersion: security.istio.io/v1beta1 |
| kind: AuthorizationPolicy |
| metadata: |
| name: policy-{{ .d }}-mtls-traffic |
| namespace: "{{ .Namespace }}" |
| spec: |
| selector: |
| matchLabels: |
| "app": "{{ .d }}" |
| action: DENY |
| rules: |
| - from: |
| - source: |
| notPrincipals: ["*"] |
| --- |
| # The following policy allows request if the port is not "8091" |
| |
| apiVersion: security.istio.io/v1beta1 |
| kind: AuthorizationPolicy |
| metadata: |
| name: policy-{{ .d }}-allow |
| namespace: "{{ .Namespace }}" |
| spec: |
| selector: |
| matchLabels: |
| "app": "{{ .d }}" |
| action: ALLOW |
| rules: |
| - to: |
| - operation: |
| notPorts: ["8091"] |
| --- |
| # The following policy denies access to path with prefix "/prefix" except "/prefix/allowlist" to workload vm. |
| # (TODO)JimmyCYJ: the following policy is a duplicate of policy-{{ .b }}-deny and can be removed once the test framework supports multiple vm workloads. |
| apiVersion: security.istio.io/v1beta1 |
| kind: AuthorizationPolicy |
| metadata: |
| name: policy-{{ .vm }}-deny |
| namespace: "{{ .Namespace }}" |
| spec: |
| selector: |
| matchLabels: |
| "app": "{{ .vm }}" |
| action: DENY |
| rules: |
| - to: |
| - operation: |
| paths: ["/prefix*"] |
| notPaths: ["/prefix/allowlist"] |
| --- |
| |
| # The following policy enables mTLS with PERMISSIVE mode for all workloads in the namespace |
| |
| apiVersion: security.istio.io/v1beta1 |
| kind: PeerAuthentication |
| metadata: |
| name: default |
| namespace: "{{ .Namespace }}" |
| spec: |
| mtls: |
| mode: PERMISSIVE |
| --- |
| |
| # The following destination rule enables mTLS in the namespace |
| |
| apiVersion: networking.istio.io/v1alpha3 |
| kind: DestinationRule |
| metadata: |
| name: "mtls" |
| namespace: "{{ .Namespace }}" |
| spec: |
| host: "*.{{ .Namespace }}.svc.cluster.local" |
| exportTo: ["."] |
| trafficPolicy: |
| tls: |
| mode: ISTIO_MUTUAL |
| --- |
| |
| # The following destination rule enables mTLS from namespace 2 to workload b. |
| |
| apiVersion: networking.istio.io/v1alpha3 |
| kind: DestinationRule |
| metadata: |
| name: "dr-{{ .b }}" |
| namespace: "{{ .Namespace2 }}" |
| spec: |
| host: "{{ .b }}.{{ .Namespace }}.svc.cluster.local" |
| exportTo: ["."] |
| trafficPolicy: |
| tls: |
| mode: ISTIO_MUTUAL |
| --- |
| |
| # The following destination rule enables mTLS from namespace 2 to workload c. |
| |
| apiVersion: networking.istio.io/v1alpha3 |
| kind: DestinationRule |
| metadata: |
| name: "dr-{{ .c }}" |
| namespace: "{{ .Namespace2 }}" |
| spec: |
| host: "{{ .c }}.{{ .Namespace }}.svc.cluster.local" |
| exportTo: ["."] |
| trafficPolicy: |
| tls: |
| mode: ISTIO_MUTUAL |
| --- |
| |
| # The following destination rule disables mTLS from namespace 2 to workload d. |
| |
| apiVersion: networking.istio.io/v1alpha3 |
| kind: DestinationRule |
| metadata: |
| name: "dr-{{ .d }}" |
| namespace: "{{ .Namespace2 }}" |
| spec: |
| host: "{{ .d }}.{{ .Namespace }}.svc.cluster.local" |
| exportTo: ["."] |
| trafficPolicy: |
| tls: |
| mode: DISABLE |
| --- |