methods: [ "GET" ]
      from:
        - source:
            principals: [ "{{ .Allowed.ServiceAccountName }}" ]
    - to:
        - operation: # GRPC
            ports: [ "{{ (.To.PortForName `grpc`).WorkloadPort }}" ]
            paths: [ "/proto.EchoTestService/Echo" ]
            methods: [ "POST" ]
      from:
        - source:
            principals: [ "{{ .Allowed.ServiceAccountName }}" ]
    - to:

  namespace: foo
spec:
  selector:
    matchLabels:
      app: httpbin
      version: v1
  rules:
    - from:
        - source:
            principals: ["*"]
        - source:

            methods: [ "GET" ]
      from:
        - source:
            principals: [ "{{ .Denied.ServiceAccountName }}" ]
    - to:
        - operation: # GRPC
            ports: [ "{{ (.To.PortForName `grpc`).WorkloadPort }}" ]
            paths: [ "/proto.EchoTestService/Echo" ]
            methods: [ "POST" ]
      from:
        - source:
            principals: [ "{{ .Denied.ServiceAccountName }}" ]
    - to:
        - operation: # TCP

spec:
  rules:
  # Has mix of L4 and L7 in from
  - from:
    - source:
        principals: ["from-mix-principal"]
        requestPrincipals: ["from-mix-requestPrincipals"]
        namespaces: ["from-mix-ns"]
    to:
    - operation:
        ports: ["80"]
  # Has mix of L4 and L7 in to
  - from:
    - source:
        principals: ["to-mix-principal"]
        namespaces: ["to-mix-ns"]
    to:
    - operation:

	for _, principal := range principals {
		isTrustDomainBeingEnforced := isTrustDomainBeingEnforced(principal)
		// Return the existing principals if the policy doesn't care about the trust domain.
		if !isTrustDomainBeingEnforced {
			principalsIncludingAliases = append(principalsIncludingAliases, principal)
			continue
		}
		trustDomainFromPrincipal, err := getTrustDomainFromSpiffeIdentity(principal)
		if err != nil {

  selector:
    matchLabels:
      app: httpbin
      version: v1
  rules:
    - from:
        - source:
            principals: ["cluster.local/ns/rule[0]/sa/from[0]-principal[0]"]
        - source:
            principals: ["some-td/ns/rule[0]/sa/from[1]-principal[0]", "cluster.local/ns/rule[0]/sa/from[1]-principal[1]"]

metadata:
  name: httpbin
  namespace: foo
spec:
  selector:
    matchLabels:
      app: httpbin
      version: v1
  rules:
    - from:
        - source:
            principals: ["rule[0]-from[0]-principal[1]", "rule[0]-from[0]-principal[2]"]
            requestPrincipals: ["rule[0]-from[0]-requestPrincipal[1]", "rule[0]-from[0]-requestPrincipal[2]"]
            namespaces: ["rule[0]-from[0]-ns[1]", "rule[0]-from[0]-ns[2]"]

        permissions:
        - andRules:
            rules:
            - orRules:
                rules:
                - urlPath:
                    path:
                      exact: /httpbin1
        principals:
        - andIds:
            ids:
            - any: true
      istio-ext-authz-ns[foo]-policy[httpbin-2]-rule[0]-deny-due-to-bad-CUSTOM-action:
        permissions:
        - andRules:
            rules:

  namespace: httpbin
spec:
  selector: # There are workloads matching this selector
    matchLabels:
      app: httpbin
      version: v1
  rules:
    - from:
        - source:
            principals: ["cluster.local/ns/default/sa/sleep"]
        - source:
            namespaces: ["httpbin"] # Namespace exists
      to:
        - operation:
            methods: ["GET"]
            paths: ["/info*"]

                - authenticated:
                    principalName:
                      exact: spiffe://td1/ns/foo/sa/rule[0]-from[1]-principal[1]
                - authenticated:
                    principalName:
                      safeRegex:
                        regex: spiffe://.*bar/ns/foo/sa/rule[0]-from[1]-principal[1]