mirror of https://github.com/istio/istio.io.git
udocs upddate for policies graduation (#12320)
This commit is contained in:
Aryan Gupta
GitHub
parent
c64c048174
commit
60eb0e4474
|
|
@ -575,7 +575,7 @@ access the workloads with the `app: httpbin` and `version: v1` labels in the
|
|||
`foo` namespace when requests sent have a valid JWT token.
|
||||
|
||||
{{< text yaml >}}
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: httpbin
|
||||
|
|
@ -604,7 +604,7 @@ The following example shows an authorization policy that denies requests if the
|
|||
source is not the `foo` namespace:
|
||||
|
||||
{{< text yaml >}}
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: httpbin-deny
|
||||
|
|
@ -645,7 +645,7 @@ For example, the `allow-read` policy allows `"GET"` and `"HEAD"` access to the
|
|||
workload with the `app: products` label in the `default` namespace.
|
||||
|
||||
{{< text yaml >}}
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: allow-read
|
||||
|
|
@ -687,7 +687,7 @@ The following example policy allows access at paths with the `/test/*` prefix
|
|||
or the `*/info` suffix.
|
||||
|
||||
{{< text yaml >}}
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: tester
|
||||
|
|
@ -713,7 +713,7 @@ JWT authentication, if the request path is not `/healthz`. Thus, the policy
|
|||
excludes requests to the `/healthz` path from the JWT authentication:
|
||||
|
||||
{{< text yaml >}}
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: disable-jwt-for-healthz
|
||||
|
|
@ -736,7 +736,7 @@ The following example denies the request to the `/admin` path for requests
|
|||
without request principals:
|
||||
|
||||
{{< text yaml >}}
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: enable-jwt-for-admin
|
||||
|
|
@ -768,7 +768,7 @@ access to the workload.
|
|||
{{< /tip >}}
|
||||
|
||||
{{< text yaml >}}
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: allow-nothing
|
||||
|
|
@ -782,7 +782,7 @@ there is another `ALLOW` policy allowing the request because the `DENY` policy t
|
|||
This is useful if you want to temporarily disable all access to the workload.
|
||||
|
||||
{{< text yaml >}}
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: deny-all
|
||||
|
|
@ -798,7 +798,7 @@ useless as it will always allow the request. It might be useful if you want to t
|
|||
workload. Note the request could still be denied due to `CUSTOM` and `DENY` policies.
|
||||
|
||||
{{< text yaml >}}
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: allow-all
|
||||
|
|
@ -818,7 +818,7 @@ key is `request.headers[version]`, which is an entry in the Istio attribute
|
|||
`request.headers`, which is a map.
|
||||
|
||||
{{< text yaml >}}
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: httpbin
|
||||
|
|
@ -850,7 +850,7 @@ If you want to make a workload publicly accessible, you need to leave the
|
|||
unauthenticated) users and workloads, for example:
|
||||
|
||||
{{< text yaml >}}
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: httpbin
|
||||
|
|
@ -871,7 +871,7 @@ To allow only authenticated users, set `principals` to `"*"` instead, for
|
|||
example:
|
||||
|
||||
{{< text yaml >}}
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: httpbin
|
||||
|
|
@ -911,7 +911,7 @@ configures an authorization policy to only allows the `bookinfo-ratings-v2`
|
|||
service in the Istio mesh to access the MongoDB workload.
|
||||
|
||||
{{< text yaml >}}
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: mongodb-policy
|
||||
|
|
|
|||
|
|
@ -59,7 +59,7 @@ and do not use any of the **positive** matching fields (e.g. `paths`, `values`).
|
|||
For example, the authorization policy below uses the `ALLOW-with-positive-matching` pattern to allow requests to path `/public`:
|
||||
|
||||
{{< text yaml >}}
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: foo
|
||||
|
|
@ -78,7 +78,7 @@ of unknown normalization behavior causing policy bypass.
|
|||
The following is an example using the `DENY-with-negative-matching` pattern to achieve the same result:
|
||||
|
||||
{{< text yaml >}}
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: foo
|
||||
|
|
@ -313,7 +313,7 @@ prefix matches instead of exact matches. For example, for an `AuthorizationPoli
|
|||
for a hostname of `example.com`, you would use `hosts: ["example.com", "example.com:*"]` as shown in the below `AuthorizationPolicy`.
|
||||
|
||||
{{< text yaml >}}
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: ingress-host
|
||||
|
|
|
|||
|
|
@ -381,7 +381,7 @@ Now, add a request authentication policy that requires end-user JWT for the ingr
|
|||
|
||||
{{< text bash >}}
|
||||
$ kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: RequestAuthentication
|
||||
metadata:
|
||||
name: "jwt-example"
|
||||
|
|
@ -464,7 +464,7 @@ To reject requests without valid tokens, add an authorization policy with a rule
|
|||
|
||||
{{< text bash >}}
|
||||
$ kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: "frontend-ingress"
|
||||
|
|
@ -494,7 +494,7 @@ To refine authorization with a token requirement per host, path, or method, chan
|
|||
|
||||
{{< text bash >}}
|
||||
$ kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: "frontend-ingress"
|
||||
|
|
|
|||
|
|
@ -313,7 +313,7 @@ ENDSNIP
|
|||
|
||||
snip_enduser_authentication_4() {
|
||||
kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: RequestAuthentication
|
||||
metadata:
|
||||
name: "jwt-example"
|
||||
|
|
@ -381,7 +381,7 @@ ENDSNIP
|
|||
|
||||
snip_require_a_valid_token_1() {
|
||||
kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: "frontend-ingress"
|
||||
|
|
@ -408,7 +408,7 @@ ENDSNIP
|
|||
|
||||
snip_require_valid_tokens_perpath_1() {
|
||||
kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: "frontend-ingress"
|
||||
|
|
|
|||
|
|
@ -52,7 +52,7 @@ identity and more secure compared using the unauthenticated HTTP attributes (e.g
|
|||
|
||||
{{< text bash >}}
|
||||
$ kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: RequestAuthentication
|
||||
metadata:
|
||||
name: ingress-jwt
|
||||
|
|
|
|||
|
|
@ -36,7 +36,7 @@ ENDSNIP
|
|||
|
||||
snip_configuring_ingress_routing_based_on_jwt_claims_1() {
|
||||
kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: RequestAuthentication
|
||||
metadata:
|
||||
name: ingress-jwt
|
||||
|
|
|
|||
|
|
@ -157,7 +157,7 @@ The external authorizer is now ready to be used by the authorization policy.
|
|||
|
||||
{{< text bash >}}
|
||||
$ kubectl apply -n foo -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: ext-authz
|
||||
|
|
|
|||
|
|
@ -105,7 +105,7 @@ ENDSNIP
|
|||
|
||||
snip_enable_with_external_authorization_1() {
|
||||
kubectl apply -n foo -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: ext-authz
|
||||
|
|
|
|||
|
|
@ -52,7 +52,7 @@ In this case, the policy denies requests if their method is `GET`.
|
|||
|
||||
{{< text bash >}}
|
||||
$ kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: deny-method-get
|
||||
|
|
@ -90,7 +90,7 @@ a header value that is not `admin`:
|
|||
|
||||
{{< text bash >}}
|
||||
$ kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: deny-method-get
|
||||
|
|
@ -130,7 +130,7 @@ to `ALLOW`. This type of policy is better known as an allow policy.
|
|||
|
||||
{{< text bash >}}
|
||||
$ kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: allow-path-ip
|
||||
|
|
|
|||
|
|
@ -36,7 +36,7 @@ ENDSNIP
|
|||
|
||||
snip_explicitly_deny_a_request_1() {
|
||||
kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: deny-method-get
|
||||
|
|
@ -71,7 +71,7 @@ ENDSNIP
|
|||
|
||||
snip_explicitly_deny_a_request_4() {
|
||||
kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: deny-method-get
|
||||
|
|
@ -109,7 +109,7 @@ ENDSNIP
|
|||
|
||||
snip_explicitly_deny_a_request_7() {
|
||||
kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: allow-path-ip
|
||||
|
|
|
|||
|
|
@ -67,7 +67,7 @@ Caching and propagation overhead can cause some delay.
|
|||
|
||||
{{< text bash >}}
|
||||
$ kubectl apply -n foo -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: deny-path-headers
|
||||
|
|
|
|||
|
|
@ -45,7 +45,7 @@ ENDSNIP
|
|||
|
||||
snip_create_dryrun_policy_1() {
|
||||
kubectl apply -n foo -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: deny-path-headers
|
||||
|
|
|
|||
|
|
@ -56,7 +56,7 @@ and then grant more access to the workload gradually and incrementally.
|
|||
|
||||
{{< text bash >}}
|
||||
$ kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: allow-nothing
|
||||
|
|
@ -78,7 +78,7 @@ and then grant more access to the workload gradually and incrementally.
|
|||
|
||||
{{< text bash >}}
|
||||
$ kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: "productpage-viewer"
|
||||
|
|
@ -112,7 +112,7 @@ and then grant more access to the workload gradually and incrementally.
|
|||
|
||||
{{< text bash >}}
|
||||
$ kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: "details-viewer"
|
||||
|
|
@ -138,7 +138,7 @@ and then grant more access to the workload gradually and incrementally.
|
|||
|
||||
{{< text bash >}}
|
||||
$ kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: "reviews-viewer"
|
||||
|
|
@ -172,7 +172,7 @@ and then grant more access to the workload gradually and incrementally.
|
|||
|
||||
{{< text bash >}}
|
||||
$ kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: "ratings-viewer"
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@
|
|||
|
||||
snip_configure_access_control_for_workloads_using_http_traffic_1() {
|
||||
kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: allow-nothing
|
||||
|
|
@ -34,7 +34,7 @@ EOF
|
|||
|
||||
snip_configure_access_control_for_workloads_using_http_traffic_2() {
|
||||
kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: "productpage-viewer"
|
||||
|
|
@ -53,7 +53,7 @@ EOF
|
|||
|
||||
snip_configure_access_control_for_workloads_using_http_traffic_3() {
|
||||
kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: "details-viewer"
|
||||
|
|
@ -75,7 +75,7 @@ EOF
|
|||
|
||||
snip_configure_access_control_for_workloads_using_http_traffic_4() {
|
||||
kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: "reviews-viewer"
|
||||
|
|
@ -97,7 +97,7 @@ EOF
|
|||
|
||||
snip_configure_access_control_for_workloads_using_http_traffic_5() {
|
||||
kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: "ratings-viewer"
|
||||
|
|
|
|||
|
|
@ -211,7 +211,7 @@ Create the AuthorizationPolicy:
|
|||
|
||||
{{< text bash >}}
|
||||
$ kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: ingress-policy
|
||||
|
|
@ -234,7 +234,7 @@ EOF
|
|||
|
||||
{{< text bash >}}
|
||||
$ kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: ingress-policy
|
||||
|
|
@ -277,7 +277,7 @@ $ CLIENT_IP=$(kubectl get pods -n istio-system -o name -l istio=ingressgateway |
|
|||
|
||||
{{< text bash >}}
|
||||
$ kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: ingress-policy
|
||||
|
|
@ -309,7 +309,7 @@ Create the AuthorizationPolicy:
|
|||
|
||||
{{< text bash >}}
|
||||
$ kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: ingress-policy
|
||||
|
|
@ -347,7 +347,7 @@ not allowed to access the ingress gateway:
|
|||
|
||||
{{< text bash >}}
|
||||
$ kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: ingress-policy
|
||||
|
|
@ -370,7 +370,7 @@ EOF
|
|||
|
||||
{{< text bash >}}
|
||||
$ kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: ingress-policy
|
||||
|
|
|
|||
|
|
@ -126,7 +126,7 @@ ENDSNIP
|
|||
|
||||
snip_ipbased_allow_list_and_deny_list_1() {
|
||||
kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: ingress-policy
|
||||
|
|
@ -145,7 +145,7 @@ EOF
|
|||
|
||||
snip_ipbased_allow_list_and_deny_list_2() {
|
||||
kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: ingress-policy
|
||||
|
|
@ -180,7 +180,7 @@ ENDSNIP
|
|||
|
||||
snip_ipbased_allow_list_and_deny_list_5() {
|
||||
kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: ingress-policy
|
||||
|
|
@ -207,7 +207,7 @@ ENDSNIP
|
|||
|
||||
snip_ipbased_allow_list_and_deny_list_7() {
|
||||
kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: ingress-policy
|
||||
|
|
@ -234,7 +234,7 @@ ENDSNIP
|
|||
|
||||
snip_ipbased_allow_list_and_deny_list_9() {
|
||||
kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: ingress-policy
|
||||
|
|
@ -253,7 +253,7 @@ EOF
|
|||
|
||||
snip_ipbased_allow_list_and_deny_list_10() {
|
||||
kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: ingress-policy
|
||||
|
|
|
|||
|
|
@ -54,7 +54,7 @@ accepts a JWT issued by `testing@secure.istio.io`:
|
|||
|
||||
{{< text bash >}}
|
||||
$ kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: RequestAuthentication
|
||||
metadata:
|
||||
name: "jwt-example"
|
||||
|
|
@ -91,7 +91,7 @@ with a `/` separator as shown:
|
|||
|
||||
{{< text syntax="bash" expandlinks="false" >}}
|
||||
$ kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: require-jwt
|
||||
|
|
@ -135,7 +135,7 @@ the JWT to have a claim named `groups` containing the value `group1`:
|
|||
|
||||
{{< text syntax="bash" expandlinks="false" >}}
|
||||
$ kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: require-jwt
|
||||
|
|
|
|||
|
|
@ -36,7 +36,7 @@ ENDSNIP
|
|||
|
||||
snip_allow_requests_with_valid_jwt_and_listtyped_claims_1() {
|
||||
kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: RequestAuthentication
|
||||
metadata:
|
||||
name: "jwt-example"
|
||||
|
|
@ -69,7 +69,7 @@ ENDSNIP
|
|||
|
||||
snip_allow_requests_with_valid_jwt_and_listtyped_claims_4() {
|
||||
kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: require-jwt
|
||||
|
|
@ -112,7 +112,7 @@ ENDSNIP
|
|||
|
||||
snip_allow_requests_with_valid_jwt_and_listtyped_claims_8() {
|
||||
kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: require-jwt
|
||||
|
|
|
|||
|
|
@ -71,7 +71,7 @@ Run the following command to apply the policy to allow requests to port 9000 and
|
|||
|
||||
{{< text bash >}}
|
||||
$ kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: tcp-policy
|
||||
|
|
@ -117,7 +117,7 @@ explicitly in the `tcp-echo` Kubernetes service object. Run the following comman
|
|||
|
||||
{{< text bash >}}
|
||||
$ kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: tcp-policy
|
||||
|
|
@ -159,7 +159,7 @@ ALLOW rules. Run the following command and verify the output:
|
|||
|
||||
{{< text bash >}}
|
||||
$ kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: tcp-policy
|
||||
|
|
@ -195,7 +195,7 @@ HTTP-only fields while creating a DENY rule for tcp port and due to it's restric
|
|||
|
||||
{{< text bash >}}
|
||||
$ kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: tcp-policy
|
||||
|
|
|
|||
|
|
@ -56,7 +56,7 @@ ENDSNIP
|
|||
|
||||
snip_configure_allow_authorization_policy_for_a_tcp_workload_1() {
|
||||
kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: tcp-policy
|
||||
|
|
@ -101,7 +101,7 @@ ENDSNIP
|
|||
|
||||
snip_configure_allow_authorization_policy_for_a_tcp_workload_5() {
|
||||
kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: tcp-policy
|
||||
|
|
@ -137,7 +137,7 @@ ENDSNIP
|
|||
|
||||
snip_configure_deny_authorization_policy_for_a_tcp_workload_1() {
|
||||
kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: tcp-policy
|
||||
|
|
@ -172,7 +172,7 @@ ENDSNIP
|
|||
|
||||
snip_configure_deny_authorization_policy_for_a_tcp_workload_4() {
|
||||
kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: tcp-policy
|
||||
|
|
|
|||
|
|
@ -43,7 +43,7 @@ Before you begin this task, do the following:
|
|||
|
||||
{{< text bash >}}
|
||||
$ kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: service-httpbin.default.svc.cluster.local
|
||||
|
|
|
|||
|
|
@ -35,7 +35,7 @@ kubectl apply -f samples/sleep/sleep.yaml -n sleep-allow
|
|||
|
||||
snip_before_you_begin_3() {
|
||||
kubectl apply -f - <<EOF
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: service-httpbin.default.svc.cluster.local
|
||||
|
|
|
|||
Loading…
Reference in New Issue