You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/en/docs/ops/best-practices/security/index.md
+15Lines changed: 15 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -54,6 +54,21 @@ By binding `AuthorizationPolicy` to the `GatewayClass`, you can configure all ga
54
54
It is important to note that `GatewayClass` is a cluster-scoped resource, and binding namespace-scoped policies to it requires special care.
55
55
Istio requires that policies which are bound to a `GatewayClass` reside in the root namespace, typically `istio-system`.
56
56
57
+
For waypoints, standard allow-nothing policy would be:
58
+
59
+
{{< text yaml >}}
60
+
apiVersion: security.istio.io/v1
61
+
kind: AuthorizationPolicy
62
+
metadata:
63
+
name: allow-nothing-istio-waypoint
64
+
namespace: istio-system
65
+
spec:
66
+
targetRefs:
67
+
- group: gateway.networking.k8s.io
68
+
kind: GatewayClass
69
+
name: istio-waypoint
70
+
{{< /text >}}
71
+
57
72
{{< tip >}}
58
73
When using the default-deny pattern with waypoints, the policy bound to the `istio-waypoint``GatewayClass` should be used in addition to the "classic" default-deny policy. The "classic" default-deny policy will be enforced by ztunnel against the workloads in your mesh and still provides meaningful value.
0 commit comments