apiVersion: security.istio.io/v1 kind: AuthorizationPolicy metadata: name: allow-cluster-service namespace: '{{ .Release.Namespace }}' spec: action: "ALLOW" rules: - to: - operation: ports: - "{{ .Values.maestro.httpBindPort }}" - "{{ .Values.maestro.grpcBindPort }}" from: - source: principals: {{- if .Values.istio.restrictIngress }} - "cluster.local/ns/{{ .Values.clustersService.namespace }}/sa/{{ .Values.clustersService.serviceAccount }}" {{- else }} - "*" {{- end }} selector: matchLabels: app: "maestro"