This repository has been archived by the owner on May 21, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
poc-accessrules.yaml
78 lines (78 loc) · 2.24 KB
/
poc-accessrules.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
######################################################################
# Learn how to to create a an access rule with Istio
# from the command line with 'kubectl' and a complete YAML descriptor
######################################################################
## !!!! Do not edit the file with VSCode because the formatter break the YAML structure !!!!
## Use JWT feature provided by Istio.
## References used:
### https://istio.io/latest/docs/reference/config/security/request_authentication/
### https://istio.io/latest/docs/tasks/security/authorization/authz-jwt/
### https://istio.io/latest/docs/reference/config/security/jwt/
## Documentation used:
### Clarification between AuthorizationPolicy and RequestAuthentication rules: https://stackoverflow.com/a/62417272
### https://istiobyexample.dev/jwt/
# Authentication rules
apiVersion: security.istio.io/v1
kind: RequestAuthentication
metadata:
name: "my-app1-authenticationrule"
namespace: my-poc
spec:
selector:
matchLabels:
app: my-app1
jwtRules:
- issuer: "excellium-ias"
jwksUri: "https://raw.githubusercontent.com/ExcelliumSA/CloudNativeApplications-Study/main/poc/rsa-2048-public.jwks.json"
---
apiVersion: security.istio.io/v1
kind: RequestAuthentication
metadata:
name: "my-app2-authenticationrule"
namespace: my-poc
spec:
selector:
matchLabels:
app: my-app2
jwtRules:
- issuer: "excellium-ias"
jwksUri: "https://raw.githubusercontent.com/ExcelliumSA/CloudNativeApplications-Study/main/poc/rsa-2048-public.jwks.json"
---
# Authorization rule
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: "my-app1-authorizationrule"
namespace: my-poc
spec:
selector:
matchLabels:
app: my-app1
action: ALLOW
rules:
- from:
- source:
requestPrincipals: ["*"]
when:
- key: request.auth.audiences
values: ["app1"]
---
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: "my-app2-authorizationrule"
namespace: my-poc
spec:
selector:
matchLabels:
app: my-app2
action: ALLOW
rules:
- from:
- source:
requestPrincipals: ["*"]
when:
- key: request.auth.audiences
values: ["app2"]
- key: request.auth.claims[ispartner]
values: ["Yes"]