Created
October 12, 2021 18:33
-
-
Save incfly/df8a68e2ebe7602d537f5df4ffeaf06c to your computer and use it in GitHub Desktop.
ipblock-authz
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: security.istio.io/v1beta1 | |
| kind: AuthorizationPolicy | |
| metadata: | |
| namespace: istio-system | |
| name: deny-protect-all | |
| spec: | |
| action: DENY | |
| rules: | |
| - from: | |
| - source: | |
| notIpBlocks: ["10.0.0.0/4"] | |
| when: | |
| - key: request.headers[test-header] | |
| notValues: ["foo"] | |
| - from: | |
| - source: | |
| namespaces: ["istio-system"] | |
| when: | |
| - key: request.headers[test-header] | |
| notValues: ["foo"] |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: networking.istio.io/v1beta1 | |
| kind: Gateway | |
| metadata: | |
| annotations: | |
| kubectl.kubernetes.io/last-applied-configuration: | | |
| {"apiVersion":"networking.istio.io/v1alpha3","kind":"Gateway","metadata":{"annotations":{},"name":"bookinfo-gateway","namespace":"default"},"spec":{"selector":{"istio":"ingressgateway"},"servers":[{"hosts":["*"],"port":{"name":"https-443","number":443,"protocol":"HTTPS"},"tls":{"credentialName":"ingress-tls-cert","mode":"SIMPLE"}}]}} | |
| creationTimestamp: "2021-10-05T07:11:41Z" | |
| generation: 3 | |
| name: bookinfo-gateway | |
| namespace: default | |
| resourceVersion: "28515921" | |
| uid: af5aab24-2233-4923-8499-15a08b973989 | |
| spec: | |
| selector: | |
| istio: ingressgateway | |
| servers: | |
| - hosts: | |
| - '*' | |
| port: | |
| name: http | |
| number: 80 | |
| protocol: HTTP | |
| --- | |
| apiVersion: networking.istio.io/v1beta1 | |
| kind: VirtualService | |
| metadata: | |
| annotations: | |
| kubectl.kubernetes.io/last-applied-configuration: | | |
| {"apiVersion":"networking.istio.io/v1alpha3","kind":"VirtualService","metadata":{"annotations":{},"name":"bookinfo","namespace":"default"},"spec":{"gateways":["bookinfo-gateway"],"hosts":["*"],"http":[{"match":[{"uri":{"prefix":"/productpage/oauth"}},{"uri":{"exact":"/authservice_logout"}},{"uri":{"exact":"/productpage"}},{"uri":{"prefix":"/static"}},{"uri":{"exact":"/login"}},{"uri":{"exact":"/logout"}},{"uri":{"prefix":"/api/v1/"}}],"route":[{"destination":{"host":"productpage","port":{"number":9080}}}]}]}} | |
| creationTimestamp: "2021-10-05T07:11:41Z" | |
| generation: 4 | |
| name: bookinfo | |
| namespace: default | |
| resourceVersion: "28516392" | |
| uid: e63a0fe2-7013-4793-af17-247349682b67 | |
| spec: | |
| gateways: | |
| - bookinfo-gateway | |
| hosts: | |
| - '*' | |
| http: | |
| - match: | |
| - uri: | |
| prefix: /ip | |
| route: | |
| - destination: | |
| host: httpbin.default.svc.cluster.local | |
| port: | |
| number: 8000 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # allowed since from internal | |
| kex $(kpid sl) -csleep -- curl httpbin:8000/ip | |
| # allowed since from external but with header | |
| curl localhost:8080/ip -H "test-header: foo" | |
| # denyed, from external but without header. | |
| curl localhost:8080/ip |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment