KubeZero/charts/kubezero-metrics/templates/istio-authorization-policy.yaml

27 lines
589 B
YAML

{{- range $name, $service := .Values.istio }}
{{- if and $service.enabled $service.ipBlocks }}
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: {{ $name }}-deny-not-in-ipblocks
namespace: istio-system
labels:
{{- include "kubezero-lib.labels" $ | nindent 4 }}
spec:
selector:
matchLabels:
app: istio-ingressgateway
action: DENY
rules:
- from:
- source:
notIpBlocks:
{{- toYaml $service.ipBlocks | nindent 8 }}
when:
- key: connection.sni
values: ["{{ $service.url }}"]
---
{{- end }}
{{- end }}