mirror of https://github.com/istio/istio.io.git
156 lines
4.7 KiB
Bash
156 lines
4.7 KiB
Bash
#!/bin/bash
|
|
# shellcheck disable=SC2034,SC2153,SC2155,SC2164
|
|
|
|
# Copyright Istio Authors. All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
####################################################################################################
|
|
# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
|
|
# docs/tasks/security/authorization/authz-deny/index.md
|
|
####################################################################################################
|
|
|
|
snip_before_you_begin_1() {
|
|
kubectl create ns foo
|
|
kubectl apply -f <(istioctl kube-inject -f samples/httpbin/httpbin.yaml) -n foo
|
|
kubectl apply -f <(istioctl kube-inject -f samples/sleep/sleep.yaml) -n foo
|
|
}
|
|
|
|
snip_before_you_begin_2() {
|
|
kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl http://httpbin.foo:8000/ip -sS -o /dev/null -w "%{http_code}\n"
|
|
}
|
|
|
|
! read -r -d '' snip_before_you_begin_2_out <<\ENDSNIP
|
|
200
|
|
ENDSNIP
|
|
|
|
snip_explicitly_deny_a_request_1() {
|
|
kubectl apply -f - <<EOF
|
|
apiVersion: security.istio.io/v1
|
|
kind: AuthorizationPolicy
|
|
metadata:
|
|
name: deny-method-get
|
|
namespace: foo
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
app: httpbin
|
|
action: DENY
|
|
rules:
|
|
- to:
|
|
- operation:
|
|
methods: ["GET"]
|
|
EOF
|
|
}
|
|
|
|
snip_explicitly_deny_a_request_2() {
|
|
kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl "http://httpbin.foo:8000/get" -X GET -sS -o /dev/null -w "%{http_code}\n"
|
|
}
|
|
|
|
! read -r -d '' snip_explicitly_deny_a_request_2_out <<\ENDSNIP
|
|
403
|
|
ENDSNIP
|
|
|
|
snip_explicitly_deny_a_request_3() {
|
|
kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl "http://httpbin.foo:8000/post" -X POST -sS -o /dev/null -w "%{http_code}\n"
|
|
}
|
|
|
|
! read -r -d '' snip_explicitly_deny_a_request_3_out <<\ENDSNIP
|
|
200
|
|
ENDSNIP
|
|
|
|
snip_explicitly_deny_a_request_4() {
|
|
kubectl apply -f - <<EOF
|
|
apiVersion: security.istio.io/v1
|
|
kind: AuthorizationPolicy
|
|
metadata:
|
|
name: deny-method-get
|
|
namespace: foo
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
app: httpbin
|
|
action: DENY
|
|
rules:
|
|
- to:
|
|
- operation:
|
|
methods: ["GET"]
|
|
when:
|
|
- key: request.headers[x-token]
|
|
notValues: ["admin"]
|
|
EOF
|
|
}
|
|
|
|
snip_explicitly_deny_a_request_5() {
|
|
kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl "http://httpbin.foo:8000/get" -X GET -H "x-token: admin" -sS -o /dev/null -w "%{http_code}\n"
|
|
}
|
|
|
|
! read -r -d '' snip_explicitly_deny_a_request_5_out <<\ENDSNIP
|
|
200
|
|
ENDSNIP
|
|
|
|
snip_explicitly_deny_a_request_6() {
|
|
kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl "http://httpbin.foo:8000/get" -X GET -H "x-token: guest" -sS -o /dev/null -w "%{http_code}\n"
|
|
}
|
|
|
|
! read -r -d '' snip_explicitly_deny_a_request_6_out <<\ENDSNIP
|
|
403
|
|
ENDSNIP
|
|
|
|
snip_explicitly_deny_a_request_7() {
|
|
kubectl apply -f - <<EOF
|
|
apiVersion: security.istio.io/v1
|
|
kind: AuthorizationPolicy
|
|
metadata:
|
|
name: allow-path-ip
|
|
namespace: foo
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
app: httpbin
|
|
action: ALLOW
|
|
rules:
|
|
- to:
|
|
- operation:
|
|
paths: ["/ip"]
|
|
EOF
|
|
}
|
|
|
|
snip_explicitly_deny_a_request_8() {
|
|
kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl "http://httpbin.foo:8000/ip" -X GET -H "x-token: guest" -s -o /dev/null -w "%{http_code}\n"
|
|
}
|
|
|
|
! read -r -d '' snip_explicitly_deny_a_request_8_out <<\ENDSNIP
|
|
403
|
|
ENDSNIP
|
|
|
|
snip_explicitly_deny_a_request_9() {
|
|
kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl "http://httpbin.foo:8000/ip" -X GET -H "x-token: admin" -s -o /dev/null -w "%{http_code}\n"
|
|
}
|
|
|
|
! read -r -d '' snip_explicitly_deny_a_request_9_out <<\ENDSNIP
|
|
200
|
|
ENDSNIP
|
|
|
|
snip_explicitly_deny_a_request_10() {
|
|
kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl "http://httpbin.foo:8000/get" -X GET -H "x-token: admin" -s -o /dev/null -w "%{http_code}\n"
|
|
}
|
|
|
|
! read -r -d '' snip_explicitly_deny_a_request_10_out <<\ENDSNIP
|
|
403
|
|
ENDSNIP
|
|
|
|
snip_clean_up_1() {
|
|
kubectl delete namespace foo
|
|
}
|