...
Simple apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name:so-vnfm-adapter-policy namespace: onap spec: selector: matchLabels: app: aai --> name of target (service) action: ALLOW rules: - from: - source: principals: ["so-vnfm-adapter-sa"] --> source, in this case the service account of POD
- Simple to maintain
- but less secure.
| Complex apiVersion: "security.istio.io/v1beta1" kind: AuthorizationPolicy metadata: name: so-vnfm-adapter-policy namespace: onap spec: selector: matchLabels: app: aai aaf-cert-service --> name of target (service) action: ALLOW rules: - from: - source: principals: ["so-vnfm-adapter-sa"] --> source, in this case the service account of POD to: - operation: ports: ["27017"] --> the target port methods: ["GET", "POST"] --> the used methods
- more complex to deploy
- very hard to maintain if you modify the API
- more secure.
|
---|
...
Name of Source POD | Name of Target POD | name of Target POD | name of Methods |
---|
so-vnfm-adapter | aai aaf-cert-service | 27017 | GET, POST
|
This flows are an informations but due to the complexity and the heterogenous of configuration, Could be miss some flow.
...