Simple apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name:so-vnfm-adapter-policy
namespace: onap
spec:
selector:
matchLabels:
app: aai aaf-cert-service --> name of target (service)
action: ALLOW
rules:
- from:
- source:
principals: ["/cluster.local/ns/onap/sa/so-vnfm-adapter-sa"] --> source, in this case the service account of POD
- Simple to maintain
- but less secure.
| Complex apiVersion: "security.istio.io/v1beta1"
kind: AuthorizationPolicy
metadata:
name: so-vnfm-adapter-policy
namespace: onap
spec:
selector:
matchLabels:
app: aaf-cert-service --> name of target (service)
action: ALLOW
rules:
- from:
- source:
principals: ["/cluster.local/ns/onap/sa/so-vnfm-adapter-sa"] --> source, in this case the service account of POD
to:
- operation:
ports: ["27017"] --> the target port
methods: ["GET", "POST"] --> the used methods
- more complex to deploy
- very hard to maintain if you modify the API
- more secure.
|
|---|