diff --git a/manifests/blog-app/authorization-policies.yaml b/manifests/blog-app/authorization-policies.yaml new file mode 100644 index 0000000..5589ab0 --- /dev/null +++ b/manifests/blog-app/authorization-policies.yaml @@ -0,0 +1,95 @@ +# This manifest file is responsible for the communication allowances between services deployed in blog-app namespace. +apiVersion: security.istio.io/v1 +kind: AuthorizationPolicy +metadata: + name: posts + namespace: blog-app +spec: + selector: + matchLabels: + app: posts + action: ALLOW + rules: + - from: + - source: + matchLabels: + app: frontend + # principals: ["cluster.local/ns/blog-app/sa/frontend"] +--- +apiVersion: security.istio.io/v1 +kind: AuthorizationPolicy +metadata: + name: reviews + namespace: blog-app +spec: + selector: + matchLabels: + app: reviews + # Any traffic that does not match the ALLOW rules will be denied by default + action: ALLOW + rules: + - from: + - source: + matchLabels: + app: frontend + # principals: ["cluster.local/ns/blog-app/sa/frontend"] +--- +apiVersion: security.istio.io/v1 +kind: AuthorizationPolicy +metadata: + name: users + namespace: blog-app +spec: + selector: + matchLabels: + app: users + action: ALLOW + rules: + - from: + - source: + matchLabels: + app: frontend + # principals: ["cluster.local/ns/blog-app/sa/frontend"] +--- +apiVersion: security.istio.io/v1 +kind: AuthorizationPolicy +metadata: + name: ratings + namespace: blog-app +spec: + selector: + matchLabels: + app: ratings + action: ALLOW + rules: + - from: + - source: + matchLabels: + app: reviews + # principals: ["cluster.local/ns/blog-app/sa/reviews"] +--- +apiVersion: security.istio.io/v1 +kind: AuthorizationPolicy +metadata: + name: mongodb + namespace: blog-app +spec: + selector: + matchLabels: + app: mongodb + action: ALLOW + rules: + - from: + - source: + matchLabels: + app: posts + - source: + matchLabels: + app: reviews + - source: + matchLabels: + app: ratings + - source: + matchLabels: + app: users + # principals: ["cluster.local/ns/blog-app/sa/posts", "cluster.local/ns/blog-app/sa/reviews", "cluster.local/ns/blog-app/sa/ratings", "cluster.local/ns/blog-app/sa/users"]