updated for 1.5.2

salrashid123 · Apr 29, 2020 · ef740e7 · ef740e7
1 parent f35d7ec
commit ef740e7
Show file tree

Hide file tree

Showing 17 changed files with 701 additions and 1,107 deletions.
diff --git a/README.md b/README.md
diff --git a/auth_rbac_policy/auth-policy.yaml b/auth_rbac_policy/auth-policy.yaml
@@ -1,58 +1,124 @@
-apiVersion: authentication.istio.io/v1alpha1
-kind: Policy
-metadata:
-  name: igpolicy
-  namespace: istio-system
-spec:
-  targets:
-  - name: istio-ingressgateway
-    ports:
-    - number: 80
-    - number: 443
-  origins:
-  - jwt:
-      issuer: "[email protected]"
-      audiences:
-      - "https://foo.bar"
-      - "https://svc1.example.com"
-      - "https://svc2.example.com"
-      jwksUri: "https://www.googleapis.com/service_accounts/v1/jwk/[email protected]" 
-  principalBinding: USE_ORIGIN
----
-apiVersion: authentication.istio.io/v1alpha1
-kind: Policy
-metadata:
-  name: svc1-policy
-spec:
-  targets:
-  - name: svc1
-  peers:
-  - mtls: {}  
-  origins:
-  - jwt:
-      issuer: "[email protected]"
-      audiences:
-      - "https://svc1.example.com"
-      jwksUri: "https://www.googleapis.com/service_accounts/v1/jwk/[email protected]"         
-  principalBinding: USE_ORIGIN
----
-apiVersion: authentication.istio.io/v1alpha1
-kind: Policy
-metadata:
-  name: svc2-policy
-spec:
-  targets:
-  - name: svc2
-  peers:
-  - mtls: {}
-  # originIsOptional: true      
-  origins:
-  - jwt:
-      issuer: "[email protected]"
-      audiences:
-      - "https://svc2.example.com"
-      jwksUri: "https://www.googleapis.com/service_accounts/v1/jwk/[email protected]" 
-      triggerRules:
-      - excludedPaths:
-        - exact: /varz
-  principalBinding: USE_ORIGIN
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: deny-all-authz-ns
+spec:
+  {} 
+---
+apiVersion: security.istio.io/v1beta1
+kind: PeerAuthentication
+metadata:
+  name: default-peerauth
+  namespace: default
+spec:
+  mtls:
+    mode: STRICT
+---
+apiVersion: security.istio.io/v1beta1
+kind: RequestAuthentication
+metadata:
+ name: igaupolicy
+ namespace: istio-system
+spec:
+  selector:
+    matchLabels:
+      app: istio-ingressgateway
+  jwtRules:
+  - issuer: "$SA_EMAIL"
+    audiences:
+    - "https://foo.bar"
+    - "https://svc1.example.com"
+    - "https://svc2.example.com"       
+    jwksUri: "https://www.googleapis.com/service_accounts/v1/jwk/$SA_EMAIL" 
+    forwardOriginalToken: true
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: igazpolicy
+ namespace: istio-system
+spec:
+ selector:
+   matchLabels:
+     app: istio-ingressgateway
+ rules:
+ - to:
+   - operation:
+       methods: ["GET"]
+   when:
+   - key: request.auth.claims[iss]
+     values: ["$SA_EMAIL"]
+---
+apiVersion: security.istio.io/v1beta1
+kind: RequestAuthentication
+metadata:
+ name: svc1-au
+spec:
+  selector:
+    matchLabels:
+      app: svc1
+  jwtRules:
+  - issuer: "$SA_EMAIL"
+    audiences:
+    - "https://svc1.example.com"
+    jwksUri: "https://www.googleapis.com/service_accounts/v1/jwk/$SA_EMAIL" 
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: svc1-az
+spec:
+ action: ALLOW    
+ selector:
+   matchLabels:
+     app: svc1
+ rules:
+ - to:
+   - operation:
+       methods: ["GET"]
+   when:
+   - key: request.auth.claims[iss]
+     values: ["$SA_EMAIL"]
+   - key: request.auth.claims[aud]
+     values: ["https://svc1.example.com"]       
+---
+apiVersion: security.istio.io/v1beta1
+kind: RequestAuthentication
+metadata:
+ name: svc2-au
+spec:
+  selector:
+    matchLabels:
+      app: svc2
+  jwtRules:
+  - issuer: "$SA_EMAIL"
+    audiences:
+    - "https://svc2.example.com"
+    jwksUri: "https://www.googleapis.com/service_accounts/v1/jwk/$SA_EMAIL" 
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: svc2-az
+spec:
+ action: ALLOW  
+ selector:
+   matchLabels:
+     app: svc2
+ rules:
+ - to:
+   - operation:
+       methods: ["GET"]  
+  #  from:
+  #  - source:
+  #      principals: ["cluster.local/ns/default/sa/svc1-sa"] 
+   when:
+   - key: request.auth.claims[iss]
+     values: ["$SA_EMAIL"]
+   - key: request.auth.claims[aud]
+     values: ["https://svc2.example.com"]
+   - key: request.auth.claims[groups]
+     values: ["group1", "group2"]
+   - key: request.auth.claims[sub]
+     values: ["bob"]
diff --git a/auth_rbac_policy/istio-rbac-config-ON.yaml b/auth_rbac_policy/istio-rbac-config-ON.yaml
diff --git a/auth_rbac_policy/jwt_cli/main.py b/auth_rbac_policy/jwt_cli/main.py
@@ -64,7 +64,7 @@ def _urlsafe_b64decode(b64string):
 
 if __name__ == '__main__':
 
-    cred = service_account.Credentials.from_service_account_file('service_account.json')
+    cred = service_account.Credentials.from_service_account_file('svc_account.json')
     fbtok = getToken("alice", "https://svc1.example.com", {}) 
     print "TOKEN_ALICE: " + fbtok
 

diff --git a/auth_rbac_policy/service-roles.yaml b/auth_rbac_policy/service-roles.yaml
diff --git a/istio-egress-gateway.yaml b/istio-egress-gateway.yaml
@@ -21,15 +21,12 @@ spec:
   servers:
   - port:
       number: 443
-      name: tls-yahoo
+      name: tls
       protocol: TLS
     hosts:
     - www.yahoo.com
     tls:
-      mode: MUTUAL
-      serverCertificate: /etc/certs/cert-chain.pem
-      privateKey: /etc/certs/key.pem
-      caCertificates: /etc/certs/root-cert.pem
+      mode: PASSTHROUGH
 ---
 apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
@@ -73,11 +70,12 @@ spec:
         port:
           number: 443
       weight: 100
-  tcp:
   - match:
     - gateways:
       - istio-egressgateway
       port: 443
+      sni_hosts:
+      - www.yahoo.com      
     route:
     - destination:
         host: www.yahoo.com

diff --git a/istio-egress-rule-metadata.yaml b/istio-egress-rule-metadata.yaml
@@ -3,12 +3,15 @@ kind: ServiceEntry
 metadata:
   name: metadata-ext
 spec:
+  addresses: 
+  - 169.254.169.254    
   hosts:
   - metadata.google.internal
-  - 169.254.169.254
   ports:
   - number: 80
     name: http
     protocol: HTTP
-  resolution: DNS
-  location: MESH_EXTERNAL
+  resolution: STATIC
+  location: MESH_EXTERNAL
+  endpoints:
+  - address: 169.254.169.254
diff --git a/istio-fev1-bev1v2.yaml b/istio-fev1-bev1v2.yaml
@@ -57,7 +57,7 @@ spec:
     tls:
       mode: ISTIO_MUTUAL  
     loadBalancer:
-      simple: ROUND_ROBIN     
+      simple: ROUND_ROBIN   
   subsets:
   - name: v1
     labels:

diff --git a/istio-fev1-wasm.yaml b/istio-fev1-wasm.yaml
@@ -0,0 +1,14 @@
+apiVersion: wasme.io/v1
+kind: FilterDeployment
+metadata:
+  name: fe-wasm-custom-filter
+  namespace: default
+spec:
+  deployment:
+    istio:
+      kind: Deployment
+      labels:
+        app: myapp     
+  filter:
+    config: 'world'
+    image: webassemblyhub.io/salrashid123/add-header:v0.1
diff --git a/istio-ilbgateway-service.yaml b/istio-ilbgateway-service.yaml