tests/integration/security/testdata/authz/v1beta1-negative-match.yaml.tmpl - dubbo-go-pixiu - Git at Google

 # The following policy denies access to path with prefix "/prefix" except "/prefix/allowlist" to workload b.

 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: policy-{{ .b }}-deny
   namespace: "{{ .Namespace }}"
 spec:
   selector:
     matchLabels:
       "app": "{{ .b }}"
   action: DENY
   rules:
   - to:
     - operation:
         paths: ["/prefix*"]
         notPaths: ["/prefix/allowlist"]
 ---
 # The following policy will deny all the requests to GET method

 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: policy-{{ .b }}-allow
   namespace: "{{ .Namespace }}"
 spec:
   selector:
     matchLabels:
       "app": "{{ .b }}"
   action: ALLOW
   rules:
   - to:
     - operation:
         notMethods : ["PUT"]
 ---
 # The following policy denies access from other namespaces.

 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: policy-{{ .c }}-same-namespace
   namespace: "{{ .Namespace }}"
 spec:
   selector:
     matchLabels:
       "app": "{{ .c }}"
   action: DENY
   rules:
   - from:
     - source:
         notNamespaces: ["{{ .Namespace }}"]
 ---
 # The following policy allows request if the host is not "deny.com"

 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: policy-{{ .c }}-allow
   namespace: "{{ .Namespace }}"
 spec:
   selector:
     matchLabels:
       "app": "{{ .c }}"
   action: ALLOW
   rules:
   - to:
     - operation:
         notHosts: ["deny.com"]
 ---

 # The following policy denies access to a workload d if it's not mTLS, in other words, it allows only mTLS traffic to access the workload d.

 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: policy-{{ .d }}-mtls-traffic
   namespace: "{{ .Namespace }}"
 spec:
   selector:
     matchLabels:
       "app": "{{ .d }}"
   action: DENY
   rules:
   - from:
     - source:
         notPrincipals: ["*"]
 ---
 # The following policy allows request if the port is not "8091"

 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: policy-{{ .d }}-allow
   namespace: "{{ .Namespace }}"
 spec:
   selector:
     matchLabels:
       "app": "{{ .d }}"
   action: ALLOW
   rules:
   - to:
     - operation:
         notPorts: ["8091"]
 ---
 # The following policy denies access to path with prefix "/prefix" except "/prefix/allowlist" to workload vm.
 # (TODO)JimmyCYJ: the following policy is a duplicate of policy-{{ .b }}-deny and can be removed once the test framework supports multiple vm workloads.
 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: policy-{{ .vm }}-deny
   namespace: "{{ .Namespace }}"
 spec:
   selector:
     matchLabels:
       "app": "{{ .vm }}"
   action: DENY
   rules:
   - to:
     - operation:
         paths: ["/prefix*"]
         notPaths: ["/prefix/allowlist"]
 ---

 # The following policy enables mTLS with PERMISSIVE mode for all workloads in the namespace

 apiVersion: security.istio.io/v1beta1
 kind: PeerAuthentication
 metadata:
   name: default
   namespace: "{{ .Namespace }}"
 spec:
   mtls:
     mode: PERMISSIVE
 ---

 # The following destination rule enables mTLS in the namespace

 apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
   name: "mtls"
   namespace: "{{ .Namespace }}"
 spec:
   host: "*.{{ .Namespace }}.svc.cluster.local"
   exportTo: ["."]
   trafficPolicy:
     tls:
       mode: ISTIO_MUTUAL
 ---

 # The following destination rule enables mTLS from namespace 2 to workload b.

 apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
   name: "dr-{{ .b }}"
   namespace: "{{ .Namespace2 }}"
 spec:
   host: "{{ .b }}.{{ .Namespace }}.svc.cluster.local"
   exportTo: ["."]
   trafficPolicy:
     tls:
       mode: ISTIO_MUTUAL
 ---

 # The following destination rule enables mTLS from namespace 2 to workload c.

 apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
   name: "dr-{{ .c }}"
   namespace: "{{ .Namespace2 }}"
 spec:
   host: "{{ .c }}.{{ .Namespace }}.svc.cluster.local"
   exportTo: ["."]
   trafficPolicy:
     tls:
       mode: ISTIO_MUTUAL
 ---

 # The following destination rule disables mTLS from namespace 2 to workload d.

 apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
   name: "dr-{{ .d }}"
   namespace: "{{ .Namespace2 }}"
 spec:
   host: "{{ .d }}.{{ .Namespace }}.svc.cluster.local"
   exportTo: ["."]
   trafficPolicy:
     tls:
       mode: DISABLE
 ---
	# The following policy denies access to path with prefix "/prefix" except "/prefix/allowlist" to workload b.

	apiVersion: security.istio.io/v1beta1
	kind: AuthorizationPolicy
	metadata:
	name: policy-{{ .b }}-deny
	namespace: "{{ .Namespace }}"
	spec:
	selector:
	matchLabels:
	"app": "{{ .b }}"
	action: DENY
	rules:
	- to:
	- operation:
	paths: ["/prefix*"]
	notPaths: ["/prefix/allowlist"]
	---
	# The following policy will deny all the requests to GET method

	apiVersion: security.istio.io/v1beta1
	kind: AuthorizationPolicy
	metadata:
	name: policy-{{ .b }}-allow
	namespace: "{{ .Namespace }}"
	spec:
	selector:
	matchLabels:
	"app": "{{ .b }}"
	action: ALLOW
	rules:
	- to:
	- operation:
	notMethods : ["PUT"]
	---
	# The following policy denies access from other namespaces.

	apiVersion: security.istio.io/v1beta1
	kind: AuthorizationPolicy
	metadata:
	name: policy-{{ .c }}-same-namespace
	namespace: "{{ .Namespace }}"
	spec:
	selector:
	matchLabels:
	"app": "{{ .c }}"
	action: DENY
	rules:
	- from:
	- source:
	notNamespaces: ["{{ .Namespace }}"]
	---
	# The following policy allows request if the host is not "deny.com"

	apiVersion: security.istio.io/v1beta1
	kind: AuthorizationPolicy
	metadata:
	name: policy-{{ .c }}-allow
	namespace: "{{ .Namespace }}"
	spec:
	selector:
	matchLabels:
	"app": "{{ .c }}"
	action: ALLOW
	rules:
	- to:
	- operation:
	notHosts: ["deny.com"]
	---

	# The following policy denies access to a workload d if it's not mTLS, in other words, it allows only mTLS traffic to access the workload d.

	apiVersion: security.istio.io/v1beta1
	kind: AuthorizationPolicy
	metadata:
	name: policy-{{ .d }}-mtls-traffic
	namespace: "{{ .Namespace }}"
	spec:
	selector:
	matchLabels:
	"app": "{{ .d }}"
	action: DENY
	rules:
	- from:
	- source:
	notPrincipals: ["*"]
	---
	# The following policy allows request if the port is not "8091"

	apiVersion: security.istio.io/v1beta1
	kind: AuthorizationPolicy
	metadata:
	name: policy-{{ .d }}-allow
	namespace: "{{ .Namespace }}"
	spec:
	selector:
	matchLabels:
	"app": "{{ .d }}"
	action: ALLOW
	rules:
	- to:
	- operation:
	notPorts: ["8091"]
	---
	# The following policy denies access to path with prefix "/prefix" except "/prefix/allowlist" to workload vm.
	# (TODO)JimmyCYJ: the following policy is a duplicate of policy-{{ .b }}-deny and can be removed once the test framework supports multiple vm workloads.
	apiVersion: security.istio.io/v1beta1
	kind: AuthorizationPolicy
	metadata:
	name: policy-{{ .vm }}-deny
	namespace: "{{ .Namespace }}"
	spec:
	selector:
	matchLabels:
	"app": "{{ .vm }}"
	action: DENY
	rules:
	- to:
	- operation:
	paths: ["/prefix*"]
	notPaths: ["/prefix/allowlist"]
	---

	# The following policy enables mTLS with PERMISSIVE mode for all workloads in the namespace

	apiVersion: security.istio.io/v1beta1
	kind: PeerAuthentication
	metadata:
	name: default
	namespace: "{{ .Namespace }}"
	spec:
	mtls:
	mode: PERMISSIVE
	---

	# The following destination rule enables mTLS in the namespace

	apiVersion: networking.istio.io/v1alpha3
	kind: DestinationRule
	metadata:
	name: "mtls"
	namespace: "{{ .Namespace }}"
	spec:
	host: "*.{{ .Namespace }}.svc.cluster.local"
	exportTo: ["."]
	trafficPolicy:
	tls:
	mode: ISTIO_MUTUAL
	---

	# The following destination rule enables mTLS from namespace 2 to workload b.

	apiVersion: networking.istio.io/v1alpha3
	kind: DestinationRule
	metadata:
	name: "dr-{{ .b }}"
	namespace: "{{ .Namespace2 }}"
	spec:
	host: "{{ .b }}.{{ .Namespace }}.svc.cluster.local"
	exportTo: ["."]
	trafficPolicy:
	tls:
	mode: ISTIO_MUTUAL
	---

	# The following destination rule enables mTLS from namespace 2 to workload c.

	apiVersion: networking.istio.io/v1alpha3
	kind: DestinationRule
	metadata:
	name: "dr-{{ .c }}"
	namespace: "{{ .Namespace2 }}"
	spec:
	host: "{{ .c }}.{{ .Namespace }}.svc.cluster.local"
	exportTo: ["."]
	trafficPolicy:
	tls:
	mode: ISTIO_MUTUAL
	---

	# The following destination rule disables mTLS from namespace 2 to workload d.

	apiVersion: networking.istio.io/v1alpha3
	kind: DestinationRule
	metadata:
	name: "dr-{{ .d }}"
	namespace: "{{ .Namespace2 }}"
	spec:
	host: "{{ .d }}.{{ .Namespace }}.svc.cluster.local"
	exportTo: ["."]
	trafficPolicy:
	tls:
	mode: DISABLE
	---