-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy path16.2-csrf-shadow-enabled.yaml
59 lines (59 loc) · 1.83 KB
/
16.2-csrf-shadow-enabled.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
##################################################
# Test Name: CSRF Shadow Policy
# Test Number: 16.2
# Test Description:
# - Specifies that CSRF policies will be evaluated, tracked but not enforced.
##################################################
apiVersion: networking.mesh.gloo.solo.io/v1
kind: VirtualMesh
metadata:
name: virtual-mesh
namespace: gloo-mesh
spec:
federation: # Enable automatic federation of all services to all clusters
selectors:
- {}
meshes:
- name: istiod-istio-system-cluster1
namespace: gloo-mesh
- name: istiod-istio-system-cluster2
namespace: gloo-mesh
---
apiVersion: networking.enterprise.mesh.gloo.solo.io/v1beta1
kind: VirtualGateway
metadata:
name: ingress
namespace: gloo-mesh
spec:
ingressGatewaySelectors:
- portName: http2 # match on port name http2
destinationSelectors:
- kubeServiceMatcher:
labels:
istio: ingressgateway # select all gateways with istio=ingressgateway label
namespaces:
- istio-system # only include istio-system namespace
connectionHandlers:
- http:
routeConfig:
- virtualHost:
domains:
- "frontend.solo.io" # listen on frontend.solo.io
routes:
- name: frontend
routeAction:
destinations:
- kubeService:
clusterName: cluster1
name: frontend
namespace: app
port: 8080
options:
trafficPolicy:
csrf:
filterEnabled: false
shadowEnabled: true
percentage: 50
additionalOrigins:
- exact: frontend.solo.io
- exact: login.solo.io