}
	switch orig.GroupVersionKind {
	case gvk.AuthorizationPolicy:
		oldRes := &apiistioioapisecurityv1beta1.AuthorizationPolicy{
			ObjectMeta: origMeta,
			Spec:       *(orig.Spec.(*istioioapisecurityv1beta1.AuthorizationPolicy)),
		}
		modRes := &apiistioioapisecurityv1beta1.AuthorizationPolicy{
			ObjectMeta: modMeta,
			Spec:       *(mod.Spec.(*istioioapisecurityv1beta1.AuthorizationPolicy)),
		}

        - destination:
            host: "{{ .To.ClusterLocalFQDN }}"
            port:
              number: {{ (.To.PortForName "http").ServicePort }}
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allow-{{ .To.ServiceName }}
spec:
  selector:
    matchLabels:
      "app": "{{ .To.ServiceName }}"
  action: ALLOW
  rules:
    - to:
      - operation:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: {{ .To.ServiceName }}
spec:
  selector:
    matchLabels:
      "app": "{{ .To.ServiceName }}"
  action: DENY
  rules:
    - to:
        - operation: # HTTP
            ports: [ "{{ (.To.PortForName `http`).WorkloadPort }}", "{{ (.To.PortForName `http2`).WorkloadPort }}" ]
            paths: [ "/deny*" ]
            notPaths: ["/deny/allow"]

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: a
spec:
  host: a
  subsets:
  - name: v1
    labels:
      version: v1
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: integ-test
spec:
  rules:
  - from:
    - source:
        principals: ["cluster.local/ns/default/sa/sleep"]
    to:
    - operation:
        methods: ["GET"]
    when:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: groups-deny
spec:
  action: DENY
  rules:
  # Has mix of L4 and L7 in from
  - from:
    - source:
        principals: ["from-mix-principal"]
        requestPrincipals: ["from-mix-requestPrincipals"]
        namespaces: ["from-mix-ns"]
    to:
    - operation:
        ports: ["80"]
  # Has mix of L4 and L7 in to
  - from:
    - source:

# The following policy denies access to path /global-deny for all workloads

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: policy-deny-system
spec:
  action: DENY
  rules:
  - to:
    - operation:
        # Generally we don't expect users to set global policies, since they
        # impact anything in the istio-system namespace. For these tests,

	"istio.io/istio/pkg/kube/krt"
	"istio.io/istio/pkg/slices"
	"istio.io/istio/pkg/spiffe"
	"istio.io/istio/pkg/workloadapi/security"
)

func PolicyCollections(
	AuthzPolicies krt.Collection[*securityclient.AuthorizationPolicy],
	PeerAuths krt.Collection[*securityclient.PeerAuthentication],
	MeshConfig krt.Singleton[MeshConfig],
	Waypoints krt.Collection[Waypoint],
	Pods krt.Collection[*v1.Pod],

  - issuer: "******@****.***"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: authz-ingress
spec:
  selector:
    matchLabels:
      istio: {{.GatewayIstioLabel | default "ingressgateway"}}
  rules:
  - to:
    - operation:
        hosts:

			ServicePortName: "grpc-main",
		},
	})

	store.Create(config.Config{
		Meta: config.Meta{
			GroupVersionKind: gvk.AuthorizationPolicy,
			Name:             svcname,
			Namespace:        ns,
		},
		Spec: &security.AuthorizationPolicy{
			Rules: []*security.Rule{
				{
					When: []*security.Condition{
						{
							Key: "request.headers[echo]",
							Values: []string{

  jwtRules:
  - issuer: "******@****.***"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: authz-gateway-{{ .To.ServiceName }}
spec:
  targetRef:
    name: {{ .To.ServiceName }}-gateway
    kind: Gateway
    group: gateway.networking.k8s.io
  rules:
  - to: