Documented Section Readme for:

- 08-AuthorizationPolicy

Also, (speed) documented its examples.

08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/Deployments.yaml

@@ -1,18 +1,28 @@
-apiVersion: v1
-kind: Service
+apiVersion: apps/v1
+kind: Deployment
 metadata:
-  name: byeworld
+  name: helloworld-nginx
   labels:
-    app: byeworld
-    service: byeworld
-  namespace: foo
+    app: helloworld
 spec:
-  ports:
-    - port: 9090
-      name: http
-      targetPort: 80
+  replicas: 1
   selector:
-    app: byeworld
+    matchLabels:
+      app: helloworld
+  template:
+    metadata:
+      labels:
+        app: helloworld
+    spec:
+      containers:
+        - name: helloworld
+          image: nginx
+          resources:
+            requests:
+              cpu: "100m"
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 80
 ---
 apiVersion: apps/v1
 kind: Deployment

08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/README.md

@@ -3,15 +3,16 @@ gitea: none
 include_toc: true
 ---
 
-# Continues from
 
-- [06-mTLS](../../10-mTLS_PeerAuthentication/06-mTLS)
+# Description
 
-## Description
+On this example we will be deploying an `AuthorizationPolicy` object to control the traffic that the `envoy-proxy` will manage on deployment created.
 
-Bla bla bla
+As well, we will configure the `AuthorizationPolicy` object to be applied at a "namespace" level.
 
-Configuration targeting namespaces
+# Based on
+
+- [10-mTLS_PeerAuthentication/01-mTLS](../../10-mTLS_PeerAuthentication/01-mTLS)
 
 # Configuration
 

08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/Services.yaml

@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: helloworld
+  labels:
+    app: helloworld
+    service: helloworld
+spec:
+  ports:
+    - port: 8080
+      name: http
+      targetPort: 80
+  selector:
+    app: helloworld
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: byeworld
+  labels:
+    app: byeworld
+    service: byeworld
+  namespace: foo
+spec:
+  ports:
+    - port: 9090
+      name: http
+      targetPort: 80
+  selector:
+    app: byeworld

08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/Deployments.yaml

@@ -1,18 +1,3 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: helloworld
-  labels:
-    app: helloworld
-    service: helloworld
-spec:
-  ports:
-    - port: 8080
-      name: http
-      targetPort: 80
-  selector:
-    app: helloworld
----
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -39,3 +24,30 @@ spec:
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 80
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: byeworld-nginx
+  labels:
+    app: byeworld
+  namespace: foo
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: byeworld
+  template:
+    metadata:
+      labels:
+        app: byeworld
+    spec:
+      containers:
+        - name: byeworld
+          image: nginx
+          resources:
+            requests:
+              cpu: "100m"
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 80

08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/README.md

@@ -3,21 +3,19 @@ gitea: none
 include_toc: true
 ---
 
-# Continues from
 
-[//]: # (- [01-hello_world_1_service_1_deployment](../../01-simple/01-hello_world_1_service_1_deployment))
-- [01-target-namespaces](../01-target-namespaces)
+# Description
+
+On this example we will be deploying an `AuthorizationPolicy` object to control the traffic that the `envoy-proxy` will manage on deployment created.
+
+As well, we will configure the `AuthorizationPolicy` object will be applied to the deployments with the targeted `ServiceAccount`.
 
 > **Note:**\
 > On this example there is minimal changes to the configuration to involve targeting service accounts.
 
-## Description
+# Based on
 
-Bla bla bla
-
-Configuration targeting service accounts (among others)
-
-By default, when a pod is deployed, if a service account has not been specified, it will be given the service account `default` from that namespace. 
+- [01-AuthorizationPolicy-Target-Namespaces](../01-AuthorizationPolicy-Target-Namespaces)
 
 # Changelog
 

08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/Services.yaml

@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: helloworld
+  labels:
+    app: helloworld
+    service: helloworld
+spec:
+  ports:
+    - port: 8080
+      name: http
+      targetPort: 80
+  selector:
+    app: helloworld
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: byeworld
+  labels:
+    app: byeworld
+    service: byeworld
+  namespace: foo
+spec:
+  ports:
+    - port: 9090
+      name: http
+      targetPort: 80
+  selector:
+    app: byeworld

08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/Deployments.yaml

@@ -1,18 +1,28 @@
-apiVersion: v1
-kind: Service
+apiVersion: apps/v1
+kind: Deployment
 metadata:
-  name: byeworld
+  name: helloworld-nginx
   labels:
-    app: byeworld
-    service: byeworld
-  namespace: foo
+    app: helloworld
 spec:
-  ports:
-    - port: 9090
-      name: http
-      targetPort: 80
+  replicas: 1
   selector:
-    app: byeworld
+    matchLabels:
+      app: helloworld
+  template:
+    metadata:
+      labels:
+        app: helloworld
+    spec:
+      containers:
+        - name: helloworld
+          image: nginx
+          resources:
+            requests:
+              cpu: "100m"
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 80
 ---
 apiVersion: apps/v1
 kind: Deployment

08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/README.md

@@ -3,18 +3,27 @@ gitea: none
 include_toc: true
 ---
 
-# Continues from
 
-- [01-target-namespaces](../01-target-namespaces)
+# Description
+
+On this example we will be deploying an `AuthorizationPolicy` object to control the traffic that the `envoy-proxy` will manage on deployment created.
+
+As well, we will configure the `AuthorizationPolicy` object will be applied to the deployments with the targeted through the usage of labels to filter the resources affected.
 
 > **Note:**\
 > On this example there is minimal changes to the configuration to involve targeting the deployment resources through label filtering.
 
-## Description
+# Based on
 
-Bla bla bla
+- [01-AuthorizationPolicy-Target-Namespaces](../01-AuthorizationPolicy-Target-Namespaces)
 
-In this example we will be targeting the labels set to the deployments, while keeping part of the previous AuthorizationPolicy configuration to maintain its behavior.   
+[//]: # (## Description)
+
+[//]: # ()
+[//]: # (Bla bla bla)
+
+[//]: # ()
+[//]: # (In this example we will be targeting the labels set to the deployments, while keeping part of the previous AuthorizationPolicy configuration to maintain its behavior.   )
 
 [//]: # (For such, it's important to check the labels set in the Istio ingress that we will be using.)
 

08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/Services.yaml

@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: helloworld
+  labels:
+    app: helloworld
+    service: helloworld
+spec:
+  ports:
+    - port: 8080
+      name: http
+      targetPort: 80
+  selector:
+    app: helloworld
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: byeworld
+  labels:
+    app: byeworld
+    service: byeworld
+  namespace: foo
+spec:
+  ports:
+    - port: 9090
+      name: http
+      targetPort: 80
+  selector:
+    app: byeworld

08-AuthorizationPolicy/03-target-deployments/deployment.yaml

@@ -1,40 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: helloworld
-  labels:
-    app: helloworld
-    service: helloworld
-spec:
-  ports:
-    - port: 8080
-      name: http
-      targetPort: 80
-  selector:
-    app: helloworld
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: helloworld-nginx
-  labels:
-    app: helloworld
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: helloworld
-  template:
-    metadata:
-      labels:
-        app: helloworld
-    spec:
-      containers:
-        - name: helloworld
-          image: nginx
-          resources:
-            requests:
-              cpu: "100m"
-          imagePullPolicy: IfNotPresent
-          ports:
-            - containerPort: 80

08-AuthorizationPolicy/03-target-deployments/deployment_2.yaml

@@ -1,42 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: byeworld
-  labels:
-    app: byeworld
-    service: byeworld
-  namespace: foo
-spec:
-  ports:
-    - port: 9090
-      name: http
-      targetPort: 80
-  selector:
-    app: byeworld
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: byeworld-nginx
-  labels:
-    app: byeworld
-  namespace: foo
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: byeworld
-  template:
-    metadata:
-      labels:
-        app: byeworld
-    spec:
-      containers:
-        - name: byeworld
-          image: nginx
-          resources:
-            requests:
-              cpu: "100m"
-          imagePullPolicy: IfNotPresent
-          ports:
-            - containerPort: 80

08-AuthorizationPolicy/README.md

@@ -1,24 +1,12 @@
-## Authentication
 
-- Based on namespaces (done)
-  
-- Based on method (somewhat done, so I will mark it as valid)
+## Description
 
-- Based on service account(s) (somewhat done)
+Through the usage of `AuthorizationPolicies`, we are able to configure rules for access control, whether be (but not limited to) **Allowing** or **Denying** the request.
 
-- Custom action (it's in alpha feature, should not focus on it for now)
+On all the examples for simplicity it's been kept to the "Head" request. 
 
-- Audit / logs (should be the 3th)
+## Examples
 
-JWT seems important, refer to source.requestPrincipals
-
-https://istio.io/latest/docs/tasks/security/authentication/
-
-
-
-Per deployment:
-```yaml
-  selector:
-    matchLabels:
-      app: myapi
-```
+- 01-target-namespaces
+- 02-target-service-accounts
+- 03-target-deployments