fromAndTo := to.Instances().Append(from)

			config.New(t).
				Source(config.File("testdata/authz/mtls.yaml.tmpl")).
				Source(config.File("testdata/authz/deny-global.yaml.tmpl").WithParams(param.Params{
					param.Namespace.String(): istio.ClaimSystemNamespaceOrFail(t, t),
				})).
				Source(config.File("testdata/authz/deny-principal.yaml.tmpl").WithParams(
					param.Params{
						"Denied": denied,
					})).

					{
						Mode:  selectorpb.WorkloadMode_SERVER,
						Ports: []*selectorpb.PortSelector{{Number: 1234}},
					},
				},
			},
		},
		"global-authz-med-prio-app": {
			Meta: config.Meta{Name: "global-authz-med-prio-app", Namespace: constants.IstioSystemNamespace, GroupVersionKind: gvk.WasmPlugin},
			Spec: &extensions.WasmPlugin{
				Phase:    extensions.PluginPhase_AUTHZ,

		testInboundListenerConfigWithSidecar(t, getProxy(),
			buildService("test.com", wildcardIPv4, protocol.HTTP, tnow))
	})

	t.Run("wasm, stats, authz", func(t *testing.T) {
		tcp := buildService("tcp.example.com", wildcardIPv4, protocol.TCP, tnow)
		tcp.Ports[0].Port = 1234
		tcp.Ports[0].Name = "tcp"
		services := []*model.Service{
			tcp,

}

// IsAllowed - checks given policy args is allowed to continue the Rest API.
func (sys *IAMSys) IsAllowed(args policy.Args) bool {
	// If opa is configured, use OPA always.
	if authz := newGlobalAuthZPluginFn(); authz != nil {
		ok, err := authz.IsAllowed(args)
		if err != nil {
			authZLogIf(GlobalContext, err)
		}
		return ok
	}

	// Policies don't apply to the owner.
	if args.IsOwner {

			{kind.AuthorizationPolicy, "authz", "default"}: true,
		}},
		{"AuthorizationPolicy in a different ns from workload", []string{"*/*"}, map[ConfigKey]bool{
			{kind.AuthorizationPolicy, "authz", "ns1"}: false,
		}},
		{"AuthorizationPolicy in the root namespace", []string{"*/*"}, map[ConfigKey]bool{
			{kind.AuthorizationPolicy, "authz", constants.IstioSystemNamespace}: true,
		}},

			Kind:      kind.PeerAuthentication,
			Name:      "selector-strict",
			Namespace: "ns1",
		}))})
	s.assertEvent(t, xdsSelector)

	s.authz.Delete("selector", testNS)
	s.assertEvent(t, s.podXdsName("pod1"), s.podXdsName("pod3"), xdsSelector)
	assert.Equal(t,
		s.lookup(s.addrXdsName("127.0.0.1"))[0].Address.GetWorkload().AuthorizationPolicies,

	"istio.io/istio/pilot/pkg/model"
	"istio.io/istio/pilot/pkg/networking/core/route/retry"
	"istio.io/istio/pilot/pkg/networking/telemetry"
	"istio.io/istio/pilot/pkg/networking/util"
	authz "istio.io/istio/pilot/pkg/security/authz/model"
	"istio.io/istio/pilot/pkg/util/protoconv"
	"istio.io/istio/pkg/config"
	"istio.io/istio/pkg/config/constants"
	"istio.io/istio/pkg/config/host"
	"istio.io/istio/pkg/config/labels"

				t.NewSubTest("authz target deny").RunParallel(func(t framework.TestContext) {
					opts := echo.CallOptions{
						To:     authzDst,
						Check:  CheckDeny,
						Port:   echo.Port{Name: "http"},
						Scheme: scheme.HTTP,
						Count:  10,
					}
					src.CallOrFail(t, opts)
				})
				t.NewSubTest("non-authz target allow").RunParallel(func(t framework.TestContext) {

  // 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
  //   See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
  // 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
  //   request resource.
  // Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
  //

	// - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
	//   See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
	// - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
	//   request resource.
	//