apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: activator-service
spec:
  action: ALLOW
  selector:
    matchLabels:
      app: activator
      app.kubernetes.io/component: knative-serving
      app.kubernetes.io/name: knative-serving
      kustomize.component: knative
  rules:
  - {}
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: autoscaler
spec:
  action: ALLOW
  selector:
    matchLabels:
      app: autoscaler
      app.kubernetes.io/component: knative-serving
      app.kubernetes.io/name: knative-serving
      kustomize.component: knative
  rules:
  - {}
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: controller
spec:
  action: ALLOW
  selector:
    matchLabels:
      app: controller
      app.kubernetes.io/component: knative-serving
      app.kubernetes.io/name: knative-serving
      kustomize.component: knative
  rules:
  - {}
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: webhook
spec:
  action: ALLOW
  selector:
    matchLabels:
      app.kubernetes.io/component: knative-serving
      app.kubernetes.io/name: knative-serving
      kustomize.component: knative
      role: webhook
  rules:
  - {}

---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: istio-webhook
spec:
  action: ALLOW
  selector:
    matchLabels:
      app: istio-webhook
      kustomize.component: knative
      app.kubernetes.io/component: knative-serving
      app.kubernetes.io/name: knative-serving
  rules:
  - {}
---

# DestinationRule for mTLS
apiVersion: "networking.istio.io/v1alpha3"
kind: DestinationRule
metadata:
  name: knative
spec:
  host: "*.knative-serving.svc.cluster.local"
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL