evankanderson/policy.yaml

## policy.yaml
apiGroup: security.knative.dev/v1alpha1
kind: Policy
metadata:
  name: green-policy
spec:
  cloudEvent:
    type: green
  # Or
  cloudEventExpressions:
    - {key: type, operator: In, values: [green]}
# This is a data-only resource, so may not need spec/status
---
apiGroup: security.knative.dev/v1alpha1
kind: PolicyAssignment  # PolicyAssignment creates PolicyBindings for each matched object in the list of subjects
metadata:
  name: green-service
spec:
  policy: green-policy
  targets:
  - apiGroup: serving.knative.dev/v1
    kind: Service
    selector:
      matchExpressions:  # Matcrh all services except those labelled with access=exposed
      - {key: access, operator: NotIn, values: [exposed]}
  - apiGroup: eventing.knative.dev/v1beta1
    kind: Broker
    name: x-broker

## x-created-bindings.yaml
apiGroup: security.knative.dev/v1alpha1
kind:PolicyBinding
metadata:
  name: green-service
spec:
  policy: green-policy
  target:
  - apiGroup: serving.knative.dev/v1
    kind: Service
    name: x-svc
---
apiGroup: security.knative.dev/v1alpha1
kind: PolicyBinding
metadata:
  name: green-broker
spec:
  policy: green-policy
  target:
  - apiGroup: eventing.knative.dev/v1beta1
    kind: Broker
    name: x-broker

## x-updates-to-resources.yaml
# In x-broker:
apiGroup: eventing.knative.dev/v1beta1
kind: Broker
metadata:
  name: x-broker
spec:
  ...
  authorizers:
  # Single GRPC for all KPolicies. Note that it would be possible to plug in
  # other auth methods here by adding another webhook.
  # There are two protocols supported:
  # - grpc: A service.auth.v2.CheckRequest
  #   In this mode, the access controlled resource is denoted by attributes.destination labels
  #   https://www.envoyproxy.io/docs/envoy/v1.13.1/api-v2/service/auth/v2/external_auth.proto#envoy-api-msg-service-auth-v2-checkrequest
  # - https: An HTTP request with all the headers but no body content.
  #   In this mode, the access controlled resource must be denoted by additional path or query-string arguments
  #   Equivalent to a matcher of `{prefix: ""}` in envoy configuration:
  #   https://www.envoyproxy.io/docs/envoy/v1.13.1/api-v2/config/filter/http/ext_authz/v2/ext_authz.proto#envoy-api-msg-config-filter-http-ext-authz-v2-authorizationrequest
  - url: grpc://auth.knative-security.svc.cluster.local/
    timeout: 0.2s
---
# In x-svc:
apiGroup: serving.knative.dev/v1
kind: Service
metadata:
  name: x-svc
spec:
  ...
  authorizers:
  - grpc://auth.knative-security.svc.cluster.local/
---
# Status of green-service
apiGroup: security.knative.dev/v1alpha1
kind: PolicyBinding
metadata:
  name: green-service
...
status:
  conditions:
  - type: Ready
    status: True
    # Indicates that policy was validated and the target was Authorizable
---
# Status of green-broker
apiGroup: security.knative.dev/v1alpha1
kind: PolicyBinding
metadata:
  name: green-broker
...
status:
  conditions:
  - type: Ready
    status: True
	apiGroup: security.knative.dev/v1alpha1
	kind: Policy
	metadata:
	name: green-policy
	spec:
	cloudEvent:
	type: green
	# Or
	cloudEventExpressions:
	- {key: type, operator: In, values: [green]}
	# This is a data-only resource, so may not need spec/status
	---
	apiGroup: security.knative.dev/v1alpha1
	kind: PolicyAssignment # PolicyAssignment creates PolicyBindings for each matched object in the list of subjects
	metadata:
	name: green-service
	spec:
	policy: green-policy
	targets:
	- apiGroup: serving.knative.dev/v1
	kind: Service
	selector:
	matchExpressions: # Matcrh all services except those labelled with access=exposed
	- {key: access, operator: NotIn, values: [exposed]}
	- apiGroup: eventing.knative.dev/v1beta1
	kind: Broker
	name: x-broker
	apiGroup: security.knative.dev/v1alpha1
	kind:PolicyBinding
	metadata:
	name: green-service
	spec:
	policy: green-policy
	target:
	- apiGroup: serving.knative.dev/v1
	kind: Service
	name: x-svc
	---
	apiGroup: security.knative.dev/v1alpha1
	kind: PolicyBinding
	metadata:
	name: green-broker
	spec:
	policy: green-policy
	target:
	- apiGroup: eventing.knative.dev/v1beta1
	kind: Broker
	name: x-broker
	# In x-broker:
	apiGroup: eventing.knative.dev/v1beta1
	kind: Broker
	metadata:
	name: x-broker
	spec:
	...
	authorizers:
	# Single GRPC for all KPolicies. Note that it would be possible to plug in
	# other auth methods here by adding another webhook.
	# There are two protocols supported:
	# - grpc: A service.auth.v2.CheckRequest
	# In this mode, the access controlled resource is denoted by attributes.destination labels
	# https://www.envoyproxy.io/docs/envoy/v1.13.1/api-v2/service/auth/v2/external_auth.proto#envoy-api-msg-service-auth-v2-checkrequest
	# - https: An HTTP request with all the headers but no body content.
	# In this mode, the access controlled resource must be denoted by additional path or query-string arguments
	# Equivalent to a matcher of `{prefix: ""}` in envoy configuration:
	# https://www.envoyproxy.io/docs/envoy/v1.13.1/api-v2/config/filter/http/ext_authz/v2/ext_authz.proto#envoy-api-msg-config-filter-http-ext-authz-v2-authorizationrequest
	- url: grpc://auth.knative-security.svc.cluster.local/
	timeout: 0.2s
	---
	# In x-svc:
	apiGroup: serving.knative.dev/v1
	kind: Service
	metadata:
	name: x-svc
	spec:
	...
	authorizers:
	- grpc://auth.knative-security.svc.cluster.local/
	---
	# Status of green-service
	apiGroup: security.knative.dev/v1alpha1
	kind: PolicyBinding
	metadata:
	name: green-service
	...
	status:
	conditions:
	- type: Ready
	status: True
	# Indicates that policy was validated and the target was Authorizable
	---
	# Status of green-broker
	apiGroup: security.knative.dev/v1alpha1
	kind: PolicyBinding
	metadata:
	name: green-broker
	...
	status:
	conditions:
	- type: Ready
	status: True