| # The following policy denies request with path "/data" to port 8091 for workload |
| |
| apiVersion: security.istio.io/v1beta1 |
| kind: AuthorizationPolicy |
| metadata: |
| name: policy-{{ .b }}-deny |
| namespace: "{{ .Namespace }}" |
| spec: |
| selector: |
| matchLabels: |
| "app": "{{ .b }}" |
| action: DENY |
| rules: |
| - to: |
| - operation: |
| paths: ["/data"] |
| ports: ["8091"] |
| --- |
| |
| # The following policy denies: |
| # request to port 8091 for workload c |
| # request to port 8094 with principal suffix matching |
| # request to port 8093 with namespace suffix matching |
| |
| apiVersion: security.istio.io/v1beta1 |
| kind: AuthorizationPolicy |
| metadata: |
| name: policy-{{ .c }}-deny |
| namespace: "{{ .Namespace }}" |
| spec: |
| selector: |
| matchLabels: |
| "app": "{{ .c }}" |
| action: DENY |
| rules: |
| - to: |
| - operation: |
| ports: ["8091"] |
| - to: |
| - operation: |
| ports: ["8094"] |
| from: |
| - source: |
| principals: ["*/ns/{{ .Namespace }}/sa/{{ .b }}"] |
| - to: |
| - operation: |
| ports: ["8093"] |
| from: |
| - source: |
| namespaces: ["*{{ .Namespace2 }}"] |
| --- |
| |
| # The following policy denies request from service account a and namespace 2 for workload d |
| |
| apiVersion: security.istio.io/v1beta1 |
| kind: AuthorizationPolicy |
| metadata: |
| name: policy-{{ .d }}-deny |
| namespace: "{{ .Namespace }}" |
| spec: |
| selector: |
| matchLabels: |
| "app": "{{ .d }}" |
| action: DENY |
| rules: |
| - from: |
| - source: |
| principals: ["cluster.local/ns/{{ .Namespace }}/sa/{{ .a }}"] |
| - source: |
| namespaces: ["{{ .Namespace2 }}"] |
| --- |
| |
| # The following policy denies request with path "/other" for workload e |
| |
| apiVersion: security.istio.io/v1beta1 |
| kind: AuthorizationPolicy |
| metadata: |
| name: policy-{{ .e }}-deny |
| namespace: "{{ .Namespace }}" |
| spec: |
| selector: |
| matchLabels: |
| "app": "{{ .e }}" |
| action: DENY |
| rules: |
| - to: |
| - operation: |
| paths: ["/other"] |
| --- |