depguard:
    rules:
      DenyGogoProtobuf:
        files:
          - $all
        deny:
          - pkg: github.com/gogo/protobuf
            desc: "gogo/protobuf is deprecated, use golang/protobuf"
      # deny for all go files
      AllGoFiles:
        files:
          - $all
        deny:
          - pkg: golang.org/x/net/http2/h2c

              {
               "tag": "istio.authorization.dry_run.deny_policy.name",
               "metadata": {
                "kind": {
                 "request": {}
                },
                "metadata_key": {
                 "key": "envoy.filters.http.rbac",
                 "path": [
                  {
                   "key": "istio_dry_run_deny_shadow_effective_policy_id"
                  }

  services:
    "default/example.com":
      80: 8080
    "default/example2.com":
      80: 8080
policies:
  - action: Allow
    rules:
    - - - not_destination_ports:
          - 9999
    name: deny-9999
    namespace: default
    scope: Namespace
services:
- name: local
  namespace: default
  hostname: example.com
  vips:
    - /127.10.0.1
  ports:
    80: 8080
- name: remote

                                      "key": "istio_dry_run_deny_shadow_effective_policy_id"
                                    }
                                  ]
                                }
                              }
                            },
                            {
                              "tag": "istio.authorization.dry_run.deny_policy.result",
                              "metadata": {

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
  name: "stable-channel-default-policy-binding.istio.io"
spec:
  policyName: "stable-channel-default-policy.istio.io"
  validationActions: [Deny]

spec:
  selector:
    matchLabels:
      app: a
  mtls:
    mode: STRICT
  portLevelMtls:
    9090:
      mode: PERMISSIVE
```

will be translated into this `Authorization`:

```yaml
action: DENY
groups:
- rules:
  - matches:
    - notPrincipals:
      - presence: {}
- rules:
  - matches:
    - notDestinationPorts:
      - 9090
name: converted_peer_authentication_strict-and-permissive-mtls

					addPolicy(action, anonymousName, "0")
				}
			}
		}
	}

	buf := strings.Builder{}
	buf.WriteString("ACTION\tAuthorizationPolicy\tRULES\n")
	for _, action := range []rbacpb.RBAC_Action{rbacpb.RBAC_DENY, rbacpb.RBAC_ALLOW, rbacpb.RBAC_LOG} {
		if names, ok := actionToPolicy[action]; ok {
			sortedNames := make([]string, 0, len(names))
			for name := range names {
				sortedNames = append(sortedNames, name)
			}

                                      "key": "istio_dry_run_deny_shadow_effective_policy_id"
                                    }
                                  ]
                                }
                              }
                            },
                            {
                              "tag": "istio.authorization.dry_run.deny_policy.result",
                              "metadata": {

  //
  // validationActions is declared as a set of action values. Order does
  // not matter. validationActions may not contain duplicates of the same action.
  //
  // The supported actions values are:
  //
  // "Deny" specifies that a validation failure results in a denied request.
  //
  // "Warn" specifies that a validation failure is reported to the request client
  // in HTTP Warning headers, with a warning code of 299. Warnings can be sent

  // readOnlyRootFilesystem when set to true will force containers to run with a read only root file
  // system.  If the container specifically requests to run with a non-read only root file system
  // the PSP should deny the pod.
  // If set to false the container may run with a read only root file system if it wishes but it
  // will not be forced to.
  // +optional
  optional bool readOnlyRootFilesystem = 14;