Spec:        config.Spec.(*authpb.AuthorizationPolicy),
		}
		policy.NamespaceToPolicies[config.Namespace] = append(policy.NamespaceToPolicies[config.Namespace], authzConfig)
	}

	return policy
}

type AuthorizationPoliciesResult struct {
	Custom []AuthorizationPolicy
	Deny   []AuthorizationPolicy
	Allow  []AuthorizationPolicy
	Audit  []AuthorizationPolicy
}

	cmd := &cobra.Command{
		Use:   "check [<type>/]<name>[.<namespace>]",
		Short: "Check AuthorizationPolicy applied in the pod.",
		Long: `Check prints the AuthorizationPolicy applied to a pod by directly checking
the Envoy configuration of the pod. The command is especially useful for inspecting
the policy propagation from Istiod to Envoy and the final AuthorizationPolicy list merged
from multiple sources (mesh-level, namespace-level and workload-level).

)

func getGvk(obj any) (config.GroupVersionKind, bool) {
	switch obj.(type) {
	case *istioioapisecurityv1beta1.AuthorizationPolicy:
		return gvk.AuthorizationPolicy, true
	case *apiistioioapisecurityv1beta1.AuthorizationPolicy:
		return gvk.AuthorizationPolicy, true
	case *k8sioapicertificatesv1.CertificateSigningRequest:
		return gvk.CertificateSigningRequest, true
	case *k8sioapicorev1.ConfigMap:

	ValidatingWebhookConfiguration
	VirtualService
	WasmPlugin
	WorkloadEntry
	WorkloadGroup
)

func (k Kind) String() string {
	switch k {
	case Address:
		return "Address"
	case AuthorizationPolicy:
		return "AuthorizationPolicy"
	case CertificateSigningRequest:
		return "CertificateSigningRequest"
	case ConfigMap:
		return "ConfigMap"
	case CustomResourceDefinition:
		return "CustomResourceDefinition"
	case DNSName:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: httpbin-1
  namespace: foo
spec:
  selector:
    matchLabels:
      app: httpbin
      version: v1
  rules:
    - to:
        - operation:
            paths: ["/exact", "/prefix/*", "*/suffix", "*", "/path/template/{*}", "/{**}/path/template"]

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: {{ .To.ServiceName }}
spec:
  selector:
    matchLabels:
      "app": "{{ .To.ServiceName }}"
  action: ALLOW
  rules:
    - to:
        - operation:

kind: feature
area: security
issue:
  - 16585

# releaseNotes is a markdown listing of any user facing changes. This will appear in the
# release notes.
releaseNotes:
- |

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: groups-deny
spec:
  action: DENY
  rules:
  # Has mix of L4 and L7 in from
  - from:
    - source:
        principals: ["from-mix-principal"]
        requestPrincipals: ["from-mix-requestPrincipals"]
        namespaces: ["from-mix-ns"]
    to:
    - operation:
        ports: ["80"]
  # Has mix of L4 and L7 in to
  - from:
    - source:

	"istio.io/istio/pkg/kube/krt"
	"istio.io/istio/pkg/slices"
	"istio.io/istio/pkg/spiffe"
	"istio.io/istio/pkg/workloadapi/security"
)

func PolicyCollections(
	AuthzPolicies krt.Collection[*securityclient.AuthorizationPolicy],
	PeerAuths krt.Collection[*securityclient.PeerAuthentication],
	MeshConfig krt.Singleton[MeshConfig],
	Waypoints krt.Collection[Waypoint],
	Pods krt.Collection[*v1.Pod],

# release notes.
releaseNotes:
- |