aarnaud/authorization-policy-l7-workload-namespace.yaml

## authorization-policy-l7-workload-namespace.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: mywaypoint
  namespace: httpbin
  labels:
    istio.io/waypoint-for: all
spec:
  gatewayClassName: istio-waypoint  # waypoint gateway is require to apply AuthorizationPolicy from workload namespace
  listeners:
    - name: mesh
      port: 15008
      protocol: HBONE
---
apiVersion: v1
kind: Service
metadata:
  name: httpbin
  namespace: httpbin
  labels:
    app: httpbin
    service: httpbin
    istio.io/use-waypoint: mywaypoint # your waypoint gateway running in the same namespace
    istio.io/ingress-use-waypoint: "true" # To configure you ingress gateway to use the waypoint.
spec:
  ports:
    - name: http
      port: 8000
      targetPort: 8080
  selector:
    app: httpbin
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: block-redirect-endpoints
  namespace: httpbin
spec:
  # Target services using targetRefs (ambient mode style)
  targetRefs:
  - kind: Service
    name: httpbin
    group: ""
  # DENY action - block these requests
  action: DENY
  rules:
  # Block /redirect-to (exact)
  - to:
    - operation:
        hosts:
          - "httpbin-istio.example.com"
        paths:
        - "/anything/admin"
        - "/redirect-to"

## istio-mirror-external.yaml
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: mirrored-target
spec:
  host: external-service.example.com
  trafficPolicy:
    tls:
      mode: SIMPLE
      sni: external-service.example.com  # Explicitly set SNI
    portLevelSettings:
      - port:
          number: 443
        tls:
          mode: SIMPLE
          sni: external-service.example.com
---
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: mirrored-target
spec:
  hosts:
    - external-service.example.com
  location: MESH_EXTERNAL
  ports:
    - name: https
      number: 443
      protocol: HTTPS
  resolution: DNS
  endpoints:
    - address: external-service.example.com
---
apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
  name: httpbin-mirrored
  namespace: app-istio
spec:
  parentRefs:
  - name: istio
    namespace: istio
  hostnames:
  - "source.example.com"
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /
    backendRefs:
    - name: httpbin
      port: 8000
    filters:
      - type: RequestMirror
        requestMirror:
          backendRef:
            group: networking.istio.io
            kind: Hostname
            name: external-service.example.com
            port: 443
	apiVersion: gateway.networking.k8s.io/v1
	kind: Gateway
	metadata:
	name: mywaypoint
	namespace: httpbin
	labels:
	istio.io/waypoint-for: all
	spec:
	gatewayClassName: istio-waypoint # waypoint gateway is require to apply AuthorizationPolicy from workload namespace
	listeners:
	- name: mesh
	port: 15008
	protocol: HBONE
	---
	apiVersion: v1
	kind: Service
	metadata:
	name: httpbin
	namespace: httpbin
	labels:
	app: httpbin
	service: httpbin
	istio.io/use-waypoint: mywaypoint # your waypoint gateway running in the same namespace
	istio.io/ingress-use-waypoint: "true" # To configure you ingress gateway to use the waypoint.
	spec:
	ports:
	- name: http
	port: 8000
	targetPort: 8080
	selector:
	app: httpbin
	---
	apiVersion: security.istio.io/v1beta1
	kind: AuthorizationPolicy
	metadata:
	name: block-redirect-endpoints
	namespace: httpbin
	spec:
	# Target services using targetRefs (ambient mode style)
	targetRefs:
	- kind: Service
	name: httpbin
	group: ""
	# DENY action - block these requests
	action: DENY
	rules:
	# Block /redirect-to (exact)
	- to:
	- operation:
	hosts:
	- "httpbin-istio.example.com"
	paths:
	- "/anything/admin"
	- "/redirect-to"
	---
	apiVersion: networking.istio.io/v1beta1
	kind: DestinationRule
	metadata:
	name: mirrored-target
	spec:
	host: external-service.example.com
	trafficPolicy:
	tls:
	mode: SIMPLE
	sni: external-service.example.com # Explicitly set SNI
	portLevelSettings:
	- port:
	number: 443
	tls:
	mode: SIMPLE
	sni: external-service.example.com
	---
	apiVersion: networking.istio.io/v1beta1
	kind: ServiceEntry
	metadata:
	name: mirrored-target
	spec:
	hosts:
	- external-service.example.com
	location: MESH_EXTERNAL
	ports:
	- name: https
	number: 443
	protocol: HTTPS
	resolution: DNS
	endpoints:
	- address: external-service.example.com
	---
	apiVersion: gateway.networking.k8s.io/v1beta1
	kind: HTTPRoute
	metadata:
	name: httpbin-mirrored
	namespace: app-istio
	spec:
	parentRefs:
	- name: istio
	namespace: istio
	hostnames:
	- "source.example.com"
	rules:
	- matches:
	- path:
	type: PathPrefix
	value: /
	backendRefs:
	- name: httpbin
	port: 8000
	filters:
	- type: RequestMirror
	requestMirror:
	backendRef:
	group: networking.istio.io
	kind: Hostname
	name: external-service.example.com
	port: 443