pierDipi/authz-eventing.yaml

## authz-eventing.yaml
apiVersion: eventing.knative.dev/v1alpha1
kind: EventPolicy
metadata:
  name: my-event-policy
  namespace: default
spec:
  to: # ToEventPolicy struct -> empty "to" means applies to all resources in the namespace
  - selector: # Object selector, no gvk means applies to all gvks that support authz
      matchLabels:
        app: my-broker
  - selector: # Object selector, gvk-specific
      apiVersion: eventing.knative.dev/v1
      kind: Broker
      matchLabels:
        app: my-broker
  - ref: # Direct reference
      apiVersion: eventing.knative.dev/v1
      kind: Broker
      name: my-broker
  from: # FromEventPolicy struct -> it could be embedded into Brokers, Channels, Sinks spec for easier usage
  - ref:
      apiVersion: sources.knative.dev/v1
      kind: ApiServerSource
      name: my-source
      namespace: my-ns
  - sub: system:serviceaccount:my-ns:my-app
  - sub: system:serviceaccount:my-ns:my-source
  - subPrefix: system:serviceaccount:my-ns
  - namespace: my-ns # shorthand for `subPrefix: system:serviceaccount:my-ns`
  with: # WithEventPolicy struct -> it could be embedded into Brokers, Channels, Sinks spec
    filters: # ... subscription api filters

## cluster-authz-eventing.yaml
apiVersion: eventing.knative.dev/v1alpha1
kind: ClusterEventPolicy
metadata:
  name: my-cluster-event-policy
spec:
  to: # ToClusterEventPolicy struct
  - namespaceSelector:
      matchLabels:
        kubernetes.io/metadata.name: my-ns
  from: # FromClusterEventPolicy struct
  - namespaceSelector:
      matchLabels:
        kubernetes.io/metadata.name: my-ns
	apiVersion: eventing.knative.dev/v1alpha1
	kind: EventPolicy
	metadata:
	name: my-event-policy
	namespace: default
	spec:
	to: # ToEventPolicy struct -> empty "to" means applies to all resources in the namespace
	- selector: # Object selector, no gvk means applies to all gvks that support authz
	matchLabels:
	app: my-broker
	- selector: # Object selector, gvk-specific
	apiVersion: eventing.knative.dev/v1
	kind: Broker
	matchLabels:
	app: my-broker
	- ref: # Direct reference
	apiVersion: eventing.knative.dev/v1
	kind: Broker
	name: my-broker
	from: # FromEventPolicy struct -> it could be embedded into Brokers, Channels, Sinks spec for easier usage
	- ref:
	apiVersion: sources.knative.dev/v1
	kind: ApiServerSource
	name: my-source
	namespace: my-ns
	- sub: system:serviceaccount:my-ns:my-app
	- sub: system:serviceaccount:my-ns:my-source
	- subPrefix: system:serviceaccount:my-ns
	- namespace: my-ns # shorthand for `subPrefix: system:serviceaccount:my-ns`
	with: # WithEventPolicy struct -> it could be embedded into Brokers, Channels, Sinks spec
	filters: # ... subscription api filters
	apiVersion: eventing.knative.dev/v1alpha1
	kind: ClusterEventPolicy
	metadata:
	name: my-cluster-event-policy
	spec:
	to: # ToClusterEventPolicy struct
	- namespaceSelector:
	matchLabels:
	kubernetes.io/metadata.name: my-ns
	from: # FromClusterEventPolicy struct
	- namespaceSelector:
	matchLabels:
	kubernetes.io/metadata.name: my-ns