마지막 업데이트
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: deny-all
namespace: default
spec:
action: DENY
rules:
- {} # 모든 요청 거부apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: allow-all
namespace: default
spec:
action: ALLOW
rules:
- {} # 모든 요청 허용apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: httpbin-get-only
namespace: default
spec:
selector:
matchLabels:
app: httpbin
action: ALLOW
rules:
- to:
- operation:
methods: ["GET"] # GET만 허용apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: ratings-sa-policy
namespace: default
spec:
selector:
matchLabels:
app: ratings
action: ALLOW
rules:
- from:
- source:
principals: ["cluster.local/ns/default/sa/reviews"] # reviews SA만 허용apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: db-namespace-policy
namespace: database
spec:
selector:
matchLabels:
app: postgresql
action: ALLOW
rules:
- from:
- source:
namespaces: ["production", "staging"] # 특정 네임스페이스만apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: path-based-policy
namespace: default
spec:
selector:
matchLabels:
app: api
action: ALLOW
rules:
- to:
- operation:
paths: ["/api/public/*"] # 공개 API만 허용
- from:
- source:
principals: ["cluster.local/ns/default/sa/admin"]
to:
- operation:
paths: ["/api/admin/*"] # admin SA는 admin API 접근 가능apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: jwt-claims-policy
namespace: default
spec:
selector:
matchLabels:
app: myapp
action: ALLOW
rules:
- when:
- key: request.auth.claims[role]
values: ["admin", "superuser"] # role claim이 admin 또는 superuser