apiVersion: security.istio.io/v1 kind: AuthorizationPolicy metadata: name: full spec: selector: matchLabels: app: httpbin rules: - from: - source: principals: ["principal", "principal-prefix-*", "*-suffix-principal", "*"] requestPrincipals: ["requestPrincipals", "requestPrincipals-prefix-*", "*-suffix-requestPrincipals", "*"] namespaces: ["ns", "ns-prefix-*", "*-ns-suffix", "*"] ipBlocks: ["1.2.3.4", "5.6.0.0/16"] remoteIpBlocks: ["1.2.3.4", "5.6.0.0/16"] notPrincipals: ["not-principal", "not-principal-prefix-*", "*-not-suffix-principal", "*"] notRequestPrincipals: ["not-requestPrincipals", "not-requestPrincipals-prefix-*", "*-not-suffix-requestPrincipals", "*"] notNamespaces: ["not-ns", "not-ns-prefix-*", "*-not-ns-suffix", "*"] notIpBlocks: ["9.0.0.1", "9.2.0.0/16"] notRemoteIpBlocks: ["9.0.0.1", "9.2.0.0/16"] to: - operation: methods: ["method", "method-prefix-*", "*-suffix-method", "*"] hosts: ["exact.com", "*.suffix.com", "prefix.*", "*"] ports: ["80", "90"] paths: ["/exact", "/prefix/*", "*/suffix", "*", "/path/template/{*}", "/{**}/path/template"] notMethods: ["not-method", "not-method-prefix-*", "*-not-suffix-method", "*"] notHosts: ["not-exact.com", "*.not-suffix.com", "not-prefix.*", "*"] notPorts: ["8000", "9000"] notPaths: ["/not-exact", "/not-prefix/*", "*/not-suffix", "*", "/not-path/template/{*}", "/{**}/not-path/template"] when: - key: "request.headers[X-header]" values: ["header", "header-prefix-*", "*-suffix-header", "*"] notValues: ["not-header", "not-header-prefix-*", "*-not-suffix-header", "*"] - key: "source.ip" values: ["10.10.10.10", "192.168.10.0/24"] notValues: ["90.10.10.10", "90.168.10.0/24"] - key: "remote.ip" values: ["10.10.10.10", "192.168.10.0/24"] notValues: ["90.10.10.10", "90.168.10.0/24"] - key: "source.namespace" values: ["ns", "ns-prefix-*", "*-ns-suffix", "*"] notValues: ["not-ns", "not-ns-prefix-*", "*-not-ns-suffix", "*"] - key: "source.principal" values: ["principal", "principal-prefix-*", "*-suffix-principal", "*"] notValues: ["not-principal", "not-principal-prefix-*", "*-not-suffix-principal", "*"] - key: "request.auth.principal" values: ["requestPrincipals", "requestPrincipals-prefix-*", "*-suffix-requestPrincipals", "*", "https://example.com/*"] notValues: ["not-requestPrincipals", "not-requestPrincipals-prefix-*", "*-not-suffix-requestPrincipals", "*"] - key: "request.auth.audiences" values: ["audiences", "audiences-prefix-*", "*-suffix-audiences", "*"] notValues: ["not-audiences", "not-audiences-prefix-*", "*-not-suffix-audiences", "*"] - key: "request.auth.presenter" values: ["presenter", "presenter-prefix-*", "*-suffix-presenter", "*"] notValues: ["not-presenter", "not-presenter-prefix-*", "*-not-suffix-presenter", "*"] - key: "request.auth.claims[iss]" values: ["iss", "iss-prefix-*", "*-suffix-iss", "*"] notValues: ["not-iss", "not-iss-prefix-*", "*-not-suffix-iss", "*"] - key: "request.auth.claims[nested1][nested2]" values: ["nested", "nested-prefix-*", "*-suffix-nested", "*"] notValues: ["not-nested", "not-nested-prefix-*", "*-not-suffix-nested", "*"] - key: "destination.ip" values: ["10.10.10.10", "192.168.10.0/24"] notValues: ["90.10.10.10", "90.168.10.0/24"] - key: "destination.port" values: ["91", "92"] notValues: ["9001", "9002"] - key: "connection.sni" values: ["exact.com", "*.suffix.com", "prefix.*", "*"] notValues: ["not-exact.com", "*.not-suffix.com", "not-prefix.*", "*"] - key: "experimental.envoy.filters.a.b[c]" values: ["exact", "prefix-*", "*-suffix", "*"] notValues: ["not-exact", "not-prefix-*", "*-not-suffix", "*"] --- apiVersion: security.istio.io/v1 kind: AuthorizationPolicy metadata: name: service-account-and-namespace-principal-split spec: rules: - from: - source: serviceAccounts: ["baz/sa", "sa"] - source: principals: ["bar"] - source: namespaces: ["bar"]