From 9bc353e59df131c37b82f42b81237e8a6e2f4e00 Mon Sep 17 00:00:00 2001
From: Reto Lehmann <retocode@icloud.com>
Date: Thu, 20 Jul 2023 10:42:59 +0200
Subject: [PATCH 01/20] update service-mesh integration setup documentation
 (SRVCOM-2368)

---
 modules/ROOT/nav.adoc                         | 10 +-
 .../common-service-mesh-setup.adoc}           | 97 ++++++++++++-------
 ...eventing-service-mesh-containersource.adoc |  0
 .../eventing-service-mesh-sinkbinding.adoc    |  0
 4 files changed, 68 insertions(+), 39 deletions(-)
 rename modules/{serverless-eventing/pages/service-mesh/eventing-service-mesh-setup.adoc => serverless-common/pages/service-mesh/common-service-mesh-setup.adoc} (75%)
 rename modules/{serverless-eventing => serverless-common}/pages/service-mesh/eventing-service-mesh-containersource.adoc (100%)
 rename modules/{serverless-eventing => serverless-common}/pages/service-mesh/eventing-service-mesh-sinkbinding.adoc (100%)

diff --git a/modules/ROOT/nav.adoc b/modules/ROOT/nav.adoc
index e90ae53c..a3d32d20 100644
--- a/modules/ROOT/nav.adoc
+++ b/modules/ROOT/nav.adoc
@@ -1,9 +1,9 @@
 * xref:index.adoc[Overview]
-* Serverless Eventing
-** Using Eventing with OpenShift Service Mesh
-*** xref:serverless-eventing:service-mesh/eventing-service-mesh-setup.adoc[Setup Eventing with OpenShift Service Mesh]
-*** xref:serverless-eventing:service-mesh/eventing-service-mesh-containersource.adoc[Using ContainerSource with OpenShift Service Mesh]
-*** xref:serverless-eventing:service-mesh/eventing-service-mesh-sinkbinding.adoc[Using SinkBinding with OpenShift Service Mesh]
+* Serverless Common
+** Using OpenShift Serverless with OpenShift Service Mesh
+*** xref:serverless-common:service-mesh/common-service-mesh-setup.adoc[Setup Serverless with OpenShift Service Mesh]
+*** xref:serverless-common:service-mesh/eventing-service-mesh-containersource.adoc[Eventing: Using ContainerSource with OpenShift Service Mesh]
+*** xref:serverless-common:service-mesh/eventing-service-mesh-sinkbinding.adoc[Eventing: Using SinkBinding with OpenShift Service Mesh]
 * Serverless Logic
 ** xref:serverless-logic:about.adoc[About OpenShift Serverless Logic]
 ** User Guides
diff --git a/modules/serverless-eventing/pages/service-mesh/eventing-service-mesh-setup.adoc b/modules/serverless-common/pages/service-mesh/common-service-mesh-setup.adoc
similarity index 75%
rename from modules/serverless-eventing/pages/service-mesh/eventing-service-mesh-setup.adoc
rename to modules/serverless-common/pages/service-mesh/common-service-mesh-setup.adoc
index 08810339..1eac3847 100644
--- a/modules/serverless-eventing/pages/service-mesh/eventing-service-mesh-setup.adoc
+++ b/modules/serverless-common/pages/service-mesh/common-service-mesh-setup.adoc
@@ -1,28 +1,69 @@
-= Setup Eventing with {SMProductName}
+= Setup {serverlessproductname} with {SMProductName}
 :compat-mode!:
 // Metadata:
-:description: Setup Eventing with {SMProductName}
+:description: Setup {serverlessproductname} with {SMProductName}
 
 // TODO
 
+[IMPORTANT]
+====
+This page describes the integration of {serverlessproductname} with {smproductname}. In this setup, it is assumed that, all Knative internal components, as well as Knative Services, are part of the Service Mesh and have istio-sidecars injected. This means, that strict mTLS is enforced within the whole mesh. All requests to Knative Services require an mTLS connection  (the client must send its certificate), except calls coming from OpenShift Routing.
+====
+
 .Prerequisites
 
 * You have access to an {product-title} account with cluster administrator access.
 
 * You have created a project or have access to a project with the appropriate roles and permissions to create applications and other workloads in {product-title}.
 
-* Install the {SMProductName} Operator and create a `ServiceMeshControlPlane` resource in the `istio-system` namespace. If you want to use mTLS functionality, you must also set the `spec.security.dataPlane.mtls` field for the `ServiceMeshControlPlane` resource to `true`.
+* Install the OpenShift CLI (`oc`).
+
+* Install the {SMProductName} Operator.
 +
 [IMPORTANT]
 ====
 Using {ServerlessProductName} with {SMProductShortName} is only supported with {SMProductName} version 2.0.5 or later.
 ====
 
-* Install the {ServerlessOperatorName}.
+.Installing and configuring {smproductname}
 
-* Install the OpenShift CLI (`oc`).
+. Create a `ServiceMeshControlPlane` resource in the `istio-system` namespace. Make sure to use the following settings, to make Service Mesh work with Serverless:
++
+[IMPORTANT]
+====
+If you have an existing `ServiceMeshControlPlane`, make sure that you have the same configuration applied.
+====
++
+[source,yaml]
+----
+apiVersion: maistra.io/v2
+kind: ServiceMeshControlPlane
+metadata:
+  name: basic
+  namespace: istio-system
+spec:
+  profiles:
+  - default
+  security:
+    dataPlane:
+      mtls: true <1>
+  techPreview:
+    meshConfig:
+      defaultConfig:
+        terminationDrainDuration: 35s <2>
+  proxy:
+    networking:
+      trafficControl:
+        inbound:
+          excludedPorts: <3>
+          - 8444 # metrics
+          - 8022 # serving: wait-for-drain k8s pre-stop hook
+----
+<1> This enforces strict mTLS in the mesh. Only calls using a valid client-certificate are allowed.
+<2> OpenShift Serverless has a graceful termination for Knative Services of 30 seconds. The istio-proxy needs to have a longer termination duration to make sure no requests are dropped.
+<3> Those ports are called by Kubernetes and cluster monitoring which are not part of the mesh and cannot be called using mTLS, thus those ports are excluded from the Service Mesh.
++
 
-.Procedure
 
 . Add the namespaces that you would like to integrate with {SMProductShortName} to the `ServiceMeshMemberRoll` object as members:
 +
@@ -55,7 +96,7 @@ $ oc apply -f <filename>
 
 . Create the necessary gateways so that {SMProductShortName} can accept traffic:
 +
-.Example `knative-local-gateway` object using HTTP
+.Example `knative-local-gateway` object using `ISTIO_MUTUAL` (mTLS)
 [source,yaml]
 ----
 apiVersion: networking.istio.io/v1alpha3
@@ -88,8 +129,10 @@ spec:
  servers:
    - port:
        number: 8081
-       name: http
-       protocol: HTTP <2>
+       name: https
+       protocol: HTTPS <2>
+     tls:
+       mode: ISTIO_MUTUAL <2>
      hosts:
        - "*"
 ---
@@ -110,30 +153,7 @@ spec:
      targetPort: 8081
 ----
 <1> Add the name of the secret that contains the wildcard certificate.
-<2> The `knative-local-gateway` serves HTTP traffic. Using HTTP means that traffic coming from outside of {SMProductShortName}, but using an internal hostname, such as `example.default.svc.cluster.local`, is not encrypted. You can set up encryption for this path by creating another wildcard certificate and an additional gateway that uses a different `protocol` spec.
-+
-.Example `knative-local-gateway` object using HTTPS
-[source,yaml]
-----
-apiVersion: networking.istio.io/v1alpha3
-kind: Gateway
-metadata:
-  name: knative-local-gateway
-  namespace: knative-serving
-spec:
-  selector:
-    istio: ingressgateway
-  servers:
-    - port:
-        number: 443
-        name: https
-        protocol: HTTPS
-      hosts:
-        - "*"
-      tls:
-        mode: SIMPLE
-        credentialName: <wildcard_certs>
-----
+<2> The `knative-local-gateway` serves HTTPS traffic and expects all clients to send requests using mTLS. This means, that only traffic coming from withing {SMProductShortName} is possible. Workloads from outside the {smproductshortname} must use the external domain using the `istio-ingressgateway`.
 
 . Apply the `Gateway` resources:
 +
@@ -142,7 +162,11 @@ spec:
 $ oc apply -f <filename>
 ----
 
-. Install Knative Serving by creating the following `KnativeServing` custom resource, which also enables the Istio integration:
+.Installing and configuring {serverless}
+
+. First, install the {serverless} Operator.
+
+. Then, install Knative Serving by creating the following `KnativeServing` custom resource, which also enables the Istio integration:
 +
 [source,yaml]
 ----
@@ -354,6 +378,11 @@ spec:
 <1> A namespace that is part of the Service Mesh member roll.
 <2> Instructs Knative Serving to generate an {product-title} pass-through enabled route, so that the certificates you have generated are served through the ingress gateway directly.
 <3> Injects {SMProductShortName} sidecars into the Knative service pods.
++
+[IMPORTANT]
+====
+Please note, that you have to always add the annotation from the example above to all your Knative `Service` to make them work with {SMPRODUCTSHORTNAME}.
+====
 
 . Apply the `Service` resource:
 +
diff --git a/modules/serverless-eventing/pages/service-mesh/eventing-service-mesh-containersource.adoc b/modules/serverless-common/pages/service-mesh/eventing-service-mesh-containersource.adoc
similarity index 100%
rename from modules/serverless-eventing/pages/service-mesh/eventing-service-mesh-containersource.adoc
rename to modules/serverless-common/pages/service-mesh/eventing-service-mesh-containersource.adoc
diff --git a/modules/serverless-eventing/pages/service-mesh/eventing-service-mesh-sinkbinding.adoc b/modules/serverless-common/pages/service-mesh/eventing-service-mesh-sinkbinding.adoc
similarity index 100%
rename from modules/serverless-eventing/pages/service-mesh/eventing-service-mesh-sinkbinding.adoc
rename to modules/serverless-common/pages/service-mesh/eventing-service-mesh-sinkbinding.adoc

From 974179d48616a97812e644a5569e8aed855fec7e Mon Sep 17 00:00:00 2001
From: Reto Lehmann <retocode@icloud.com>
Date: Thu, 20 Jul 2023 11:17:06 +0200
Subject: [PATCH 02/20] add page for network-isolation based on Service Mesh
 (SRVCOM-2368)

---
 modules/ROOT/nav.adoc                         |   1 +
 .../multi-tenancy-service-mesh.drawio.svg     |   4 +
 ...common-service-mesh-network-isolation.adoc | 106 ++++++++++++++++++
 3 files changed, 111 insertions(+)
 create mode 100644 modules/serverless-common/assets/images/service-mesh/multi-tenancy-service-mesh.drawio.svg
 create mode 100644 modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc

diff --git a/modules/ROOT/nav.adoc b/modules/ROOT/nav.adoc
index a3d32d20..e2f87b45 100644
--- a/modules/ROOT/nav.adoc
+++ b/modules/ROOT/nav.adoc
@@ -2,6 +2,7 @@
 * Serverless Common
 ** Using OpenShift Serverless with OpenShift Service Mesh
 *** xref:serverless-common:service-mesh/common-service-mesh-setup.adoc[Setup Serverless with OpenShift Service Mesh]
+*** xref:serverless-common:service-mesh/common-service-mesh-network-isolation.adoc[Use Service Mesh to isolate network-traffic]
 *** xref:serverless-common:service-mesh/eventing-service-mesh-containersource.adoc[Eventing: Using ContainerSource with OpenShift Service Mesh]
 *** xref:serverless-common:service-mesh/eventing-service-mesh-sinkbinding.adoc[Eventing: Using SinkBinding with OpenShift Service Mesh]
 * Serverless Logic
diff --git a/modules/serverless-common/assets/images/service-mesh/multi-tenancy-service-mesh.drawio.svg b/modules/serverless-common/assets/images/service-mesh/multi-tenancy-service-mesh.drawio.svg
new file mode 100644
index 00000000..181aa5c0
--- /dev/null
+++ b/modules/serverless-common/assets/images/service-mesh/multi-tenancy-service-mesh.drawio.svg
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Do not edit this file with editors other than diagrams.net -->
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="699px" height="534px" viewBox="-0.5 -0.5 699 534" content="&lt;mxfile host=&quot;drawio-plugin&quot; modified=&quot;2023-05-25T11:42:29.848Z&quot; agent=&quot;5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36&quot; etag=&quot;QiMYJZly1xpERPDJCFA4&quot; version=&quot;20.5.3&quot; type=&quot;embed&quot;&gt;&lt;diagram id=&quot;SIUPIMZeMRZCnwsOkFFw&quot; name=&quot;Page-1&quot;&gt;7Vxbj6M2FP41eWilIC42kMfpzO626laadqV2++iAk7hLcApOJtlfXxswAdvJkASSjDpTqQu2seGc71x9nJH3uNx+ytBq8RuNcTJy7Xg78p5GrutA6PN/RMtOtgSgbJlnJK7a9g1fyHdcNdpV65rEOG8NZJQmjKzajRFNUxyxVhvKMvrSHjajSXvVFZpjreFLhBK99S8Ss0XZGkJ73/4zJvOFXNmxq54lkoOrhnyBYvrSaPI+jLzHjFJWXi23jzgR1JN0KZ/7eKC3frEMp6zTA9V7bFCyrj5u5PoJf/anacav5uLqmi0MpyhlY0fv+dGSfVa+iawoWecMZ1ZCOV8qYrKd5FBG12mMxUfa/NGXBWH4ywpFoveFg5K3Ldgy4XcOv5yRJHmkCc34fUpTPuinGOWL4nHRn7OMfsNyxMj1Qnfq+X7x/iq5Kw5scMbwttFUkf8TpkvMsh0fUvWOoeTBTjZItLzsseX4VduiiSvZiCo8z+vZ9yznFxXXDyDAuU8EmN8CLQXv0mm+aiLCvTki/CjE01lPiAjsmyJicmtAtJg8EhpMa/qWIkY2eJzjbEPS+ZW5HftTHw4m/z7sym2nB26HN+U2yRmh43zHBXd5ZSZO/MBDfTFRE9nrMtHTmPiLICxv+iWdZzjPSylSiP8JMfyCdv3RnVMVOzHEweD09kOV3p6B3q6B3n1oSKCR+yHi6ggxmplALxRWwY/njG77JfdsNnOjaHAdBUJ4Q3L7h1WUJPKvX/58lI18uume+C3K2yUzfl/jNTYzg6/Mowj8OiNQvipDixnZCuapnIkRDmdGzvTqK/i+IghgonMmNDAm7IExwWmM0Q1Bk1W34hPEYQwG9/JBcEM+Oa6BUSpB0/hBhMb8LkpQnpOoTce2luKUyHZfmzd/ixvLhfL+advsfdpVd6dTv+yRcbZ7jB8MZXPMWiYRx61QXmdQg/zQQH7ZluGk8Dhb65l4Uq3wTAl/uYaDAFWD5cD2JDldZxGunmuG7NpUqsjXylhOVdJBm6qASf3p3ZCjexYXIqcPAOAtYV+r2cV1E3v8dg89cbMbXQjZg3ArOdaCWxOB4L4QCDXYqJ5nZwTWuusgmHtEoO5s3QMCJZicFpjORVITNsF9wcZTDRcMzoZNoHqR9nCwgXcJG6PiCroqLssGQFFe4SuQK+6ecUY47XB2oUa7M2hCzaaqeLpPaOrxjPtDz+B8Pfg4wa16ld8VFW0LuKHfoqOjO7mDIkJNCwDIX8qZ7P/8cwESOtrMnQCyn0oOpLNZji8GkZ63cy4F0SEPKTjVqT8HfUbVeFQvdtJivq7FuvplkvVcyzqhe10ca9EiEMJl13/KlJ1hDNU85SsTXxfUMoHUJ6gHw6Z1Xrjxf4k23qZtNqR2NfyJrA+JUPIZTXHyTHPCCE1515QyRpechXLAQ0LmooNRJSeVL9BKTLbczkWFhDVFHMTW1pDeDSNsTu9OQygskEA7Q9ULHIXPSdleoNo6aEFNAcrIrL2bcRgpXbNVru66g3vSArUbXmkCxxJqs6MHD1y3rQ+qZ4+58Hwq1YM/360Huuro6tbXbp4dBmELIc51raOqW+Ckt5BUm+rKFlCPDc6wgOfanl6l5ARbGa2zTb1R2wnFBreua8K3RrE3sYM28+W0V4tWHCtwYOCGAXShp0UYfsjje+AGjgsC4Ne52MudPggDq5sJ5TATG8T1sJUYkB/5pkBLF7Ur0PhFOeeQUuR12DF8WLMFzcj3wng+04REu277VLNMGPmHMytXtPtikhktiLAXcf/fNZUd47wogOQr2o692paPVf3qi+YrlBonmtKtmEfUyhQzTWkW42zMm8s3XXL+k7Tsk4twIYzj+om6tXxUaSxedIMyIuqx0vWSm6aoHELSBb9hhmEY5WzMXR+UHhrJ1Qtm0cLQnZAUj6VQar3SAxuj0gUrvhjlWDyl0M8uNGiLVoyrNEHFb7iAPsvWnJgayVO0xLnYdswbKCnp/86TwXiyWqcRW5cery4FhVi2JQw2Zm4Ul8on4ZOhApF2le8Fzbk2LD6ltdDxWtWji78CJt5cKgvZrLgGr+yGmyOPmEYcHalUOFXBtWNwCeqApGLiU4Jn7Gh80kdAoqX1AlN1VWAw1dJPvai4qkOZw7s1eddc79bkzfGkD2viXs+aGOvc363JqektNRy6rjUxlde/lQzj2D26UXhSjtFT4sRA32IZKsMITKeeDudYqnLyg8nFdhLEqXD/ES1JIr7uZ5xssGCXSSD4fYPm5R7MqJUxrJM2fzezO71s97fSJ37H/MmVkiMAtlOMepVb9ySfdsLCdztlP85IPQDTcaq7glY3NNxZqYenbkn43rlboHot+4BoOHpSwCbiXAZbYOHtcE9JsCURtpaTVfzvW8oxIgfsDX2GW2a/ToyqMDvtXMGZsCr/DHYFiv9MdsUv/noyI56nijYw2HJgQCbwD4Owsx05rcjsFnbkjGz8gdrGfnaugWH/6d62rlVMQbXU5wRdo+2CD1aqDfSKIO+etk1PKZ7oBKWTN3ygP/E05TCoD+NPLOnW7sE0sSbgXDz5ymwgnHTC00AbLeBNBzMeNEKtFqQTohnfV/hiON0zVDQDT4tmrlTqfFCE70XNa0d23bOrCLRDeNpU/al5eOT3GmQe5zOec4Z3S0BrUOGYZ4r8tdheeTGG89ZKFkeV6yWJY7GI0RVVADhYkHPJmW7P1YXa5Fr2caIbDn7w6rol4jcT6sC2VCV7gVwbZutRtPVosd6xLLLCqBieL+hLkbxGbCECSM6Nso++cGa/i/Ohk9JwoippQ01jMBlInvVQsd4/MOwzaKpbVIHZ+x0HOyp2gaISEaT8kYfxXP6gg42E+rdRI9cQkwxHLNlZ+tyuce6Usv0K+53z5kT2H/gffi1Qx9+hPaz8ZY+VOLxtWNI7ackNQfpXXrQ+OGP9mpqmlVErrVMvPXIfS+CINE6R7tFzPiLNU8hzlfuhs1HnpI/1Lu/d5T0AhipmODFIPARqfVwHmee3+x9uK9X//vfvvA//AQ==&lt;/diagram&gt;&lt;/mxfile&gt;"><defs/><g><rect x="248" y="250" width="160" height="160" fill="none" stroke="#82b366" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 330px; margin-left: 249px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><br /><br /><br /><br /><br /><br /><br />tenant-1<br />*.tenant-1.svc.cluster.local</div></div></div></foreignObject><text x="328" y="334" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">tenant-1...</text></switch></g><rect x="58" y="250" width="160" height="160" fill="none" stroke="#6c8ebf" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 330px; margin-left: 59px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><br /><br /><br /><br /><br /><br /><br />tenant-2<br /> *.tenant-2.svc.cluster.local</div></div></div></foreignObject><text x="138" y="334" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">tenant-2...</text></switch></g><rect x="248" y="100" width="160" height="110" fill="none" stroke="#d6b656" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 155px; margin-left: 249px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><br /><br /><br /><br /><br /><br />    knative-serving</div></div></div></foreignObject><text x="328" y="159" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">knative-serving...</text></switch></g><rect x="58" y="100" width="160" height="110" fill="none" stroke="#9673a6" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 155px; margin-left: 59px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><br /><br /><br /><br /><br /><br />istio-system</div></div></div></foreignObject><text x="138" y="159" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">istio-system...</text></switch></g><rect x="78" y="120" width="120" height="60" fill="#e1d5e7" stroke="#9673a6" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 118px; height: 1px; padding-top: 150px; margin-left: 79px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Istio Ingress <br />Gateway</div></div></div></foreignObject><text x="138" y="154" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Istio Ingress...</text></switch></g><rect x="273" y="120" width="120" height="60" fill="#fff2cc" stroke="#d6b656" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 118px; height: 1px; padding-top: 150px; margin-left: 274px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Activator<br />+ IstioProxy</div></div></div></foreignObject><text x="333" y="154" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Activator...</text></switch></g><ellipse cx="138" cy="300" rx="40" ry="40" fill="#dae8fc" stroke="#6c8ebf" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 78px; height: 1px; padding-top: 300px; margin-left: 99px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>KSVC</b> IstioProxy + QueueProxy</div></div></div></foreignObject><text x="138" y="304" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">KSVC IstioPro...</text></switch></g><ellipse cx="328" cy="300" rx="40" ry="40" fill="#d5e8d4" stroke="#82b366" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 78px; height: 1px; padding-top: 300px; margin-left: 289px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>KSVC<br /></b>IstioProxy + QueueProxy</div></div></div></foreignObject><text x="328" y="304" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">KSVC...</text></switch></g><path d="M 8 135 L 69.76 135" fill="none" stroke="#82b366" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 75.76 135 L 67.76 139 L 69.76 135 L 67.76 131 Z" fill="#82b366" stroke="#82b366" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><path d="M 198 135 L 264.76 135" fill="none" stroke="#82b366" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 270.76 135 L 262.76 139 L 264.76 135 L 262.76 131 Z" fill="#82b366" stroke="#82b366" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><path d="M 388 180 L 358.98 263.93" fill="none" stroke="#82b366" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 357.02 269.6 L 355.85 260.73 L 358.98 263.93 L 363.41 263.35 Z" fill="#82b366" stroke="#82b366" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><path d="M 198 165 L 286.39 275.96" fill="none" stroke="#82b366" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 290.13 280.65 L 282.01 276.89 L 286.39 275.96 L 288.27 271.9 Z" fill="#82b366" stroke="#82b366" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><path d="M 178 299.58 L 268.76 299.97" fill="none" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 274.76 299.99 L 266.75 303.96 L 268.76 299.97 L 266.78 295.96 Z" fill="#6c8ebf" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 290px; margin-left: 249px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">2)</div></div></div></foreignObject><text x="249" y="293" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">2)</text></switch></g><path d="M 166.28 271.72 L 267.18 170.82" fill="none" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 271.42 166.58 L 268.59 175.07 L 267.18 170.82 L 262.93 169.41 Z" fill="#6c8ebf" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 230px; margin-left: 208px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">1)</div></div></div></foreignObject><text x="208" y="233" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">1)</text></switch></g><path d="M 198 150 L 264.76 150" fill="none" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 270.76 150 L 262.76 154 L 264.76 150 L 262.76 146 Z" fill="#6c8ebf" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 150px; margin-left: 236px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">1)</div></div></div></foreignObject><text x="236" y="153" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">1)</text></switch></g><path d="M 274 294.5 L 278.08 294.5 L 281 297.76 L 283.92 294.5 L 288 294.5 L 283.04 300 L 288 305.5 L 283.92 305.5 L 281 302.24 L 278.08 305.5 L 274 305.5 L 278.67 300 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><path d="M 278.28 180.06 L 317.83 252.84" fill="none" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 320.69 258.12 L 313.36 253 L 317.83 252.84 L 320.39 249.18 Z" fill="#6c8ebf" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 223px; margin-left: 303px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">4)</div></div></div></foreignObject><text x="303" y="226" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">4)</text></switch></g><path d="M 98 300 Q -12 230 71.84 155.47" fill="none" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 76.33 151.49 L 73.01 159.79 L 71.84 155.47 L 67.69 153.81 Z" fill="#6c8ebf" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 220px; margin-left: 38px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">1)</div></div></div></foreignObject><text x="38" y="223" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">1)</text></switch></g><path d="M 346.28 11.14 L 346.28 78 L 178 78 L 178 0 L 322.24 0 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><path d="M 322.24 0 C 324.2 2.61 320.98 5.29 313.66 7.16 L 346.28 11.38" fill="none" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe flex-start; width: 168px; height: 1px; padding-top: 39px; margin-left: 180px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: left;"><div style="display: inline-block; font-size: 10px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>AuthorizationPolicy<br /></b>from:<br />    <font style="font-size: 10px;"><span class="token key atrule" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;">namespaces</span><span class="token punctuation" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;">: ["tenant-1"]<br />to:<br />  hosts: ["*.tenant-1.svc.cluster.local"]<br /></span></font></div></div></div></foreignObject><text x="180" y="42" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="10px">AuthorizationPolicy...</text></switch></g><path d="M 526.28 11.14 L 526.28 78 L 358 78 L 358 0 L 502.24 0 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><path d="M 502.24 0 C 504.2 2.61 500.98 5.29 493.66 7.16 L 526.28 11.38" fill="none" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe flex-start; width: 168px; height: 1px; padding-top: 39px; margin-left: 360px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: left;"><div style="display: inline-block; font-size: 10px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>AuthorizationPolicy<br /></b>from:<br />    <font style="font-size: 10px;"><span class="token key atrule" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;">namespaces</span><span class="token punctuation" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;">: ["tenant-2"]<br />to:<br />  hosts: ["*.tenant-2.svc.cluster.local"]<br /></span></font></div></div></div></foreignObject><text x="360" y="42" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="10px">AuthorizationPolicy...</text></switch></g><path d="M 275 178 L 279.08 178 L 282 181.26 L 284.92 178 L 289 178 L 284.04 183.5 L 289 189 L 284.92 189 L 282 185.74 L 279.08 189 L 275 189 L 279.67 183.5 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" transform="rotate(-22,282,183.5)" pointer-events="all"/><path d="M 300 120 L 263 78" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 374 119 L 409.36 78" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><rect x="428" y="110" width="140" height="46" fill="#f5f5f5" stroke="#666666" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 138px; height: 1px; padding-top: 133px; margin-left: 429px;"><div data-drawio-colors="color: #333333; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 10px; font-family: Helvetica; color: rgb(51, 51, 51); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Activator is the last place we know the "real" source</div></div></div></foreignObject><text x="498" y="136" fill="#333333" font-family="Helvetica" font-size="10px" text-anchor="middle">Activator is the last place...</text></switch></g><path d="M 428 133 L 393 150" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 198 150 L 290.55 254.83" fill="none" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 294.52 259.32 L 286.23 255.97 L 290.55 254.83 L 292.22 250.68 Z" fill="#6c8ebf" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 237px; margin-left: 275px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">3)</div></div></div></foreignObject><text x="275" y="240" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">3)</text></switch></g><path d="M 292 260 L 296.08 260 L 299 263.26 L 301.92 260 L 306 260 L 301.04 265.5 L 306 271 L 301.92 271 L 299 267.74 L 296.08 271 L 292 271 L 296.67 265.5 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" transform="rotate(-35,299,265.5)" pointer-events="all"/><path d="M 58 460 L 89.76 460" fill="none" stroke="#82b366" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 95.76 460 L 87.76 464 L 89.76 460 L 87.76 456 Z" fill="#82b366" stroke="#82b366" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><rect x="58" y="430" width="40" height="10" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe flex-start; width: 38px; height: 1px; padding-top: 435px; margin-left: 60px;"><div data-drawio-colors="color: #000000; " style="box-sizing: border-box; font-size: 0px; text-align: left;"><div style="display: inline-block; font-size: 10px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>Legend<br /></b></div></div></div></foreignObject><text x="60" y="438" fill="#000000" font-family="Helvetica" font-size="10px">Legend&#xa;</text></switch></g><path d="M 58 479.89 L 89.76 479.89" fill="none" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 95.76 479.89 L 87.76 483.89 L 89.76 479.89 L 87.76 475.89 Z" fill="#6c8ebf" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><rect x="99" y="455" width="179" height="10" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe flex-start; width: 177px; height: 1px; padding-top: 460px; margin-left: 101px;"><div data-drawio-colors="color: #000000; " style="box-sizing: border-box; font-size: 0px; text-align: left;"><div style="display: inline-block; font-size: 10px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">tenant-1: all shown paths are allowed</div></div></div></foreignObject><text x="101" y="463" fill="#000000" font-family="Helvetica" font-size="10px">tenant-1: all shown paths are allow...</text></switch></g><rect x="99" y="475.5" width="599" height="54.5" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe flex-start; width: 597px; height: 1px; padding-top: 503px; margin-left: 101px;"><div data-drawio-colors="color: #000000; " style="box-sizing: border-box; font-size: 0px; text-align: left;"><div style="display: inline-block; font-size: 10px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">tenant-2: <br />1) tenant-2 can call ingress-gateway and activator directly.<br />2) tenant-2 can not call tenant-1 directly. Rejected in tenant-1 istio-proxy.<br />3) tenant-2 can not call tenant-1 via ingress-gateway. Rejected in tenant-1 istio-proxy.<br />4) tenant-2 can not call tenant-1 via activator. Rejected in activator istio-proxy, as this is the last known place of the "real" source.</div></div></div></foreignObject><text x="101" y="506" fill="#000000" font-family="Helvetica" font-size="10px">tenant-2:...</text></switch></g></g><switch><g requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"/><a transform="translate(0,-5)" xlink:href="https://www.diagrams.net/doc/faq/svg-export-text-problems" target="_blank"><text text-anchor="middle" font-size="10px" x="50%" y="100%">Text is not SVG - cannot display</text></a></switch></svg>
\ No newline at end of file
diff --git a/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc b/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc
new file mode 100644
index 00000000..3cd6ccdb
--- /dev/null
+++ b/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc
@@ -0,0 +1,106 @@
+= Use {smproductname} to isolate network traffic with {serverlessproductname}
+:compat-mode!:
+// Metadata:
+:description: Use {smproductname} to isolate network traffic with {serverlessproductname}
+
+// TODO
+
+{smproductshortname} can be used to isolate network-traffic between "tenants" using {smproductshortname} `AuthorizationPolicy` resources. {serverlessproductname} can also leverage this, using several {smproductshortname} resources, as routing in {serverlessproductname} has multiple ways to reach the user workload (for example when scaled to zero).
+
+
+.High-level architecture
+The high-level architecture consists of `AuthorizationPolicies` in the `knative-serving` and the tenants namespaces, while all components are part of the {smproductshortname}. The respective `istio-proxy` sidecars take care of enforcing those rules to isolate traffic between tenants.
+
+image::service-mesh/multi-tenancy-service-mesh.drawio.svg[]
+
+
+.Prerequisites
+
+* You have access to an {product-title} account with cluster administrator access.
+
+* You have created a project or have access to a project with the appropriate roles and permissions to create applications and other workloads in {product-title}.
+
+* You have set up {serverlessproductname} and {smproductname} as documented in xref:./common-service-mesh-setup.adoc[]
+
+
+.Securing the {smproductshortname}
+
+. As in the set-up documentation, make sure that all your tenants are part of the same `ServiceMeshMemberRoll` object as members:
++
+[source,yaml]
+----
+apiVersion: maistra.io/v1
+kind: ServiceMeshMemberRoll
+metadata:
+ name: default
+ namespace: istio-system
+spec:
+ members:
+   - knative-serving
+   - knative-eventing
+   - tenant-1
+   - tenant-2
+----
++
+All the namespaces that are part of the Mesh must enforce mTLS in strict mode. This forces Istio to only accept connections with a client-certificate present and allows the `istio-proxy` to validate the origin using `AuthorizationPolicy`.
++
+. For {serverlessproductname} internal components to work, the following `AuthorizationPolicies` are necessary in the `knative-serving` namespace:
++
+[source,yaml]
+----
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: allow-traffic-to-activator <1>
+  namespace: knative-serving
+spec:
+  selector:
+    matchLabels:
+      app: activator
+  action: ALLOW
+  rules:
+    - from:
+        - source:
+            namespaces: [ "knative-serving", "istio-system" ]
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: allow-traffic-to-autoscaler <2>
+  namespace: knative-serving
+spec:
+  selector:
+    matchLabels:
+      app: autoscaler
+  action: ALLOW
+  rules:
+    - from:
+        - source:
+            namespaces: [ "knative-serving" ]
+---
+----
+<1> This rule allows traffic from `istio-system` and `knative-serving` to activator
+<2> This rule allows traffic from `knative-serving` to autoscaler
++
+[NOTE]
+====
+As soon as one `AuthorizationPolicy` is installed in a namespace, all other traffic is automatically denied.
+====
+
+. With this set up in place, cluster administrators can use their own `AuthorizationPolicies` to define which namespaces (tenants) can communicate with each other. Each namespace needs:
+* One AuthorizationPolicy limiting directly incoming traffic in the tenants namespace
+* One AuthorizationPolicy limiting incoming traffic via activator in the `knative-serving` namespace
+* One AuthorizationPolicy allowing Kubernetes to call PreStopHooks on Knative Services
+* One AuthorizationPolicy allowing cluster monitoring to… // TODO
+
++
+As it is a cumbersome task to create all those policies by hand, you can use our helm generator to create the necessary resources for each tenant:
+
+ TODO
+
+
+.Verifying the {smproductshortname}
+
+ TODO
+

From e18b41eb985b8a858cff5a1ba8c47bc98c1a6629 Mon Sep 17 00:00:00 2001
From: Reto Lehmann <retocode@icloud.com>
Date: Thu, 20 Jul 2023 12:58:01 +0200
Subject: [PATCH 03/20] add helm generator to the network-isolation docs

---
 ...common-service-mesh-network-isolation.adoc | 33 +++++++++++++++----
 1 file changed, 26 insertions(+), 7 deletions(-)

diff --git a/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc b/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc
index 3cd6ccdb..87d21c61 100644
--- a/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc
+++ b/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc
@@ -89,15 +89,34 @@ As soon as one `AuthorizationPolicy` is installed in a namespace, all other traf
 ====
 
 . With this set up in place, cluster administrators can use their own `AuthorizationPolicies` to define which namespaces (tenants) can communicate with each other. Each namespace needs:
-* One AuthorizationPolicy limiting directly incoming traffic in the tenants namespace
-* One AuthorizationPolicy limiting incoming traffic via activator in the `knative-serving` namespace
-* One AuthorizationPolicy allowing Kubernetes to call PreStopHooks on Knative Services
-* One AuthorizationPolicy allowing cluster monitoring to… // TODO
-
+- One AuthorizationPolicy limiting directly incoming traffic in the tenants namespace
+- One AuthorizationPolicy limiting incoming traffic via activator in the `knative-serving` namespace
+- One AuthorizationPolicy allowing Kubernetes to call PreStopHooks on Knative Services
+- One AuthorizationPolicy allowing cluster monitoring to… // TODO
++
+As it is a cumbersome task to create all those policies by hand, you can use our link:https://github.com/openshift-knative/knative-istio-authz-chart[helm based generator] to create the necessary resources for each tenant:
 +
-As it is a cumbersome task to create all those policies by hand, you can use our helm generator to create the necessary resources for each tenant:
+[source,terminal]
+----
+# For Serving
+helm template oci://quay.io/pierdipi/knative-istio-authz-onboarding --version 0.1.0 --set "namespaces={tenant-1}" --set "name=tenant-1" --set=eventing.enabled=false
+helm template oci://quay.io/pierdipi/knative-istio-authz-onboarding --version 0.1.0 --set "namespaces={tenant-2}" --set "name=tenant-2" --set=eventing.enabled=false
 
- TODO
+# For Eventing
+helm template oci://quay.io/pierdipi/knative-istio-authz-onboarding --version 0.1.0 --set "name=order-service" --set "namespaces={ns1, ns2}" --set=serving.enabled=false
+----
++
+And apply the generated resources to your cluster:
++
+[source,terminal]
+----
+$ oc apply -f <filename>
+----
++
+[NOTE]
+====
+The helm chart has several options that can be passed to configure the generated resources. Please refer to the link:https://github.com/openshift-knative/knative-istio-authz-chart/blob/main/values.yaml[values.yaml] for a full reference.
+====
 
 
 .Verifying the {smproductshortname}

From 3dea20d3f6d0849b4dab65121e1418dc3b6093ce Mon Sep 17 00:00:00 2001
From: Reto Lehmann <retocode@icloud.com>
Date: Thu, 20 Jul 2023 13:42:22 +0200
Subject: [PATCH 04/20] refer to external yaml files on GitHub

---
 ...common-service-mesh-network-isolation.adoc | 60 +++++--------------
 1 file changed, 14 insertions(+), 46 deletions(-)

diff --git a/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc b/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc
index 87d21c61..57f3e656 100644
--- a/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc
+++ b/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc
@@ -44,49 +44,20 @@ spec:
 +
 All the namespaces that are part of the Mesh must enforce mTLS in strict mode. This forces Istio to only accept connections with a client-certificate present and allows the `istio-proxy` to validate the origin using `AuthorizationPolicy`.
 +
-. For {serverlessproductname} internal components to work, the following `AuthorizationPolicies` are necessary in the `knative-serving` namespace:
+. For {serverlessproductname} internal components to work, the several `AuthorizationPolicies` are necessary in the `knative-serving` and the `knative-eventing` namespace. The necessary resources are available in link:https://github.com/openshift-knative/knative-istio-authz-chart/tree/main/setup[here]:
+
+- `deny-all-by-default.yaml` denies all traffic that is not explicitly allowed in `knative-serving` and `knative-eventing`
+- `allow-traffic-to-activator.yaml` allows traffic from `istio-system` and `knative-serving` to activator
+- `allow-traffic-to-autoscaler.yaml` allows traffic from `knative-serving` to autoscaler
+- `allow-probe-kafka-controller.yaml` allows health probes for kafka components in `knative-eventing`
+- `allow-mt-channel-based-broker-to-channels.yaml` allows internal traffic for channel based brokers in `knative-eventing`
 +
-[source,yaml]
+Make sure to apply all those rules to your cluster with
++
+[source,terminal]
 ----
----
-apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
-  name: allow-traffic-to-activator <1>
-  namespace: knative-serving
-spec:
-  selector:
-    matchLabels:
-      app: activator
-  action: ALLOW
-  rules:
-    - from:
-        - source:
-            namespaces: [ "knative-serving", "istio-system" ]
----
-apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
-  name: allow-traffic-to-autoscaler <2>
-  namespace: knative-serving
-spec:
-  selector:
-    matchLabels:
-      app: autoscaler
-  action: ALLOW
-  rules:
-    - from:
-        - source:
-            namespaces: [ "knative-serving" ]
----
+$ oc apply -f <filename>
 ----
-<1> This rule allows traffic from `istio-system` and `knative-serving` to activator
-<2> This rule allows traffic from `knative-serving` to autoscaler
-+
-[NOTE]
-====
-As soon as one `AuthorizationPolicy` is installed in a namespace, all other traffic is automatically denied.
-====
 
 . With this set up in place, cluster administrators can use their own `AuthorizationPolicies` to define which namespaces (tenants) can communicate with each other. Each namespace needs:
 - One AuthorizationPolicy limiting directly incoming traffic in the tenants namespace
@@ -97,13 +68,10 @@ As soon as one `AuthorizationPolicy` is installed in a namespace, all other traf
 As it is a cumbersome task to create all those policies by hand, you can use our link:https://github.com/openshift-knative/knative-istio-authz-chart[helm based generator] to create the necessary resources for each tenant:
 +
 [source,terminal]
+.Create resources per tenant with helm
 ----
-# For Serving
-helm template oci://quay.io/pierdipi/knative-istio-authz-onboarding --version 0.1.0 --set "namespaces={tenant-1}" --set "name=tenant-1" --set=eventing.enabled=false
-helm template oci://quay.io/pierdipi/knative-istio-authz-onboarding --version 0.1.0 --set "namespaces={tenant-2}" --set "name=tenant-2" --set=eventing.enabled=false
-
-# For Eventing
-helm template oci://quay.io/pierdipi/knative-istio-authz-onboarding --version 0.1.0 --set "name=order-service" --set "namespaces={ns1, ns2}" --set=serving.enabled=false
+helm template oci://quay.io/pierdipi/knative-istio-authz-onboarding --version 0.1.0 --set "name=tenant-1" --set "namespaces={ns1, ns2}"
+helm template oci://quay.io/pierdipi/knative-istio-authz-onboarding --version 0.1.0 --set "name=tenant-2" --set "namespaces={ns3, ns4}"
 ----
 +
 And apply the generated resources to your cluster:

From 7fe1604ba51756d9487175442cf912f302737464 Mon Sep 17 00:00:00 2001
From: Reto Lehmann <retocode@icloud.com>
Date: Thu, 20 Jul 2023 14:02:36 +0200
Subject: [PATCH 05/20] add improvements for general, more isolated istio
 installation (SRVCOM-2356)

---
 .../common-service-mesh-setup.adoc            | 36 ++++++++++++++-----
 1 file changed, 27 insertions(+), 9 deletions(-)

diff --git a/modules/serverless-common/pages/service-mesh/common-service-mesh-setup.adoc b/modules/serverless-common/pages/service-mesh/common-service-mesh-setup.adoc
index 1eac3847..2830f70e 100644
--- a/modules/serverless-common/pages/service-mesh/common-service-mesh-setup.adoc
+++ b/modules/serverless-common/pages/service-mesh/common-service-mesh-setup.adoc
@@ -5,10 +5,17 @@
 
 // TODO
 
-[IMPORTANT]
-====
-This page describes the integration of {serverlessproductname} with {smproductname}. In this setup, it is assumed that, all Knative internal components, as well as Knative Services, are part of the Service Mesh and have istio-sidecars injected. This means, that strict mTLS is enforced within the whole mesh. All requests to Knative Services require an mTLS connection  (the client must send its certificate), except calls coming from OpenShift Routing.
-====
+.Assumptions and limitations
+
+This page describes the integration of {serverlessproductname} with {smproductname}. In this setup, it is assumed that:
+
+* All Knative internal components, as well as Knative Services, are part of the {smproductshortname} and have istio-sidecars injected. This means, that strict mTLS is enforced within the whole mesh. All requests to Knative Services require an mTLS connection  (the client must send its certificate), except calls coming from OpenShift Routing.
+* {serverlessproductname} with Kourier disabled can only target *one* istio service mesh. Multiple meshes can be present in the cluster, but {serverlessproductname} will only be available on one of them.
+* The mesh that {serverlessproductname} is part of has to be distinct and ideally only for {serverlessproductname} workloads, as additional configuration like `Gateways` might interfere with the automated configuration by {serverlessproductname}. Other namespaces can be part of this Mesh, but must not configure the istio custom resource `Gateway` that could overlap with {serverlessproductname} `knative-local-gateway` and `knative-ingress-gateway`.
+* {smproductname} only allows one `Gateway` to claim a wildcard host binding (`hosts: *`) on the same port (`port: 443`). So the `knative-ingress-gateway` and `knative-local-gateway` have to be unique in the Mesh. If another Mesh is already binding this configuration, a separate Mesh has to be created for {serverlessproductname} workloads.
+* Cluster external Knative Services are expected to be called via OpenShift Ingress using OpenShift Routes. It is not supported to access istio directly, e.g. by exposing the `istio-ingressgateway` using a Service with type `NodePort` or `LoadBalancer`.
+* Changing the target `ServiceMeshMemberRole`, that {serverlessproductname} is part of (meaning moving {serverlessproductname} to another mesh) is not supported. The only way to change the targeted Service Mesh is to uninstall and reinstall {serverlessproductname}.
+
 
 .Prerequisites
 
@@ -51,18 +58,24 @@ spec:
     meshConfig:
       defaultConfig:
         terminationDrainDuration: 35s <2>
+  gateways:
+    ingress:
+      service:
+        metadata:
+          labels:
+            knative: ingressgateway <3>
   proxy:
     networking:
       trafficControl:
         inbound:
-          excludedPorts: <3>
+          excludedPorts: <4>
           - 8444 # metrics
           - 8022 # serving: wait-for-drain k8s pre-stop hook
 ----
 <1> This enforces strict mTLS in the mesh. Only calls using a valid client-certificate are allowed.
 <2> OpenShift Serverless has a graceful termination for Knative Services of 30 seconds. The istio-proxy needs to have a longer termination duration to make sure no requests are dropped.
-<3> Those ports are called by Kubernetes and cluster monitoring which are not part of the mesh and cannot be called using mTLS, thus those ports are excluded from the Service Mesh.
-+
+<3> Defining a specific selector for the `ingress-gateway` to target only the Knative gateway.
+<4> Those ports are called by Kubernetes and cluster monitoring which are not part of the mesh and cannot be called using mTLS, thus those ports are excluded from the Service Mesh.
 
 
 . Add the namespaces that you would like to integrate with {SMProductShortName} to the `ServiceMeshMemberRoll` object as members:
@@ -106,7 +119,7 @@ metadata:
   namespace: knative-serving
 spec:
   selector:
-    istio: ingressgateway
+    knative: ingressgateway
   servers:
     - port:
         number: 443
@@ -125,7 +138,7 @@ metadata:
  namespace: knative-serving
 spec:
  selector:
-   istio: ingressgateway
+   knative: ingressgateway
  servers:
    - port:
        number: 8081
@@ -188,9 +201,14 @@ spec:
     annotations:
       "sidecar.istio.io/inject": "true"
       "sidecar.istio.io/rewriteAppHTTPProbers": "true"
+  config:
+    istio: <3>
+      gateway.knative-serving.knative-ingress-gateway: istio-ingressgateway.<your-istio-namespace>.svc.cluster.local
+      local-gateway.knative-serving.knative-local-gateway: knative-local-gateway.<your-istio-namespace>.svc.cluster.local
 ----
 <1> Enables Istio integration.
 <2> Enables sidecar injection for Knative Serving data plane pods.
+<3> Optional: if your istio is *NOT* running in `istio-system`, set those two flags with the correct namespace.
 
 . Apply the `KnativeServing` resource:
 +

From 8cdf267adac84d3601a8ad945d94557d4a8b984d Mon Sep 17 00:00:00 2001
From: Reto Lehmann <retocode@icloud.com>
Date: Thu, 20 Jul 2023 14:10:28 +0200
Subject: [PATCH 06/20] minor fixes

---
 .../common-service-mesh-network-isolation.adoc         | 10 ++++++++--
 .../pages/service-mesh/common-service-mesh-setup.adoc  |  2 +-
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc b/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc
index 57f3e656..8fd839bc 100644
--- a/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc
+++ b/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc
@@ -5,14 +5,20 @@
 
 // TODO
 
-{smproductshortname} can be used to isolate network-traffic between "tenants" using {smproductshortname} `AuthorizationPolicy` resources. {serverlessproductname} can also leverage this, using several {smproductshortname} resources, as routing in {serverlessproductname} has multiple ways to reach the user workload (for example when scaled to zero).
+{smproductshortname} can be used to isolate network-traffic between "tenants" using {smproductshortname} `AuthorizationPolicy` resources. {serverlessproductname} can also leverage this, using several {smproductshortname} resources.
 
 
 .High-level architecture
-The high-level architecture consists of `AuthorizationPolicies` in the `knative-serving` and the tenants namespaces, while all components are part of the {smproductshortname}. The respective `istio-proxy` sidecars take care of enforcing those rules to isolate traffic between tenants.
+The high-level architecture consists of `AuthorizationPolicies` in the `knative-serving`, `knative-eventing` and the tenants namespaces, while all components are part of the {smproductshortname}. The respective `istio-proxy` sidecars take care of enforcing those rules to isolate traffic between tenants.
+
+*Knative Serving*
 
 image::service-mesh/multi-tenancy-service-mesh.drawio.svg[]
 
+*Knative Eventing*
+
+TODO pierdipi, please add your diagram here!
+
 
 .Prerequisites
 
diff --git a/modules/serverless-common/pages/service-mesh/common-service-mesh-setup.adoc b/modules/serverless-common/pages/service-mesh/common-service-mesh-setup.adoc
index 2830f70e..7492f15b 100644
--- a/modules/serverless-common/pages/service-mesh/common-service-mesh-setup.adoc
+++ b/modules/serverless-common/pages/service-mesh/common-service-mesh-setup.adoc
@@ -166,7 +166,7 @@ spec:
      targetPort: 8081
 ----
 <1> Add the name of the secret that contains the wildcard certificate.
-<2> The `knative-local-gateway` serves HTTPS traffic and expects all clients to send requests using mTLS. This means, that only traffic coming from withing {SMProductShortName} is possible. Workloads from outside the {smproductshortname} must use the external domain using the `istio-ingressgateway`.
+<2> The `knative-local-gateway` serves HTTPS traffic and expects all clients to send requests using mTLS. This means, that only traffic coming from withing {SMProductShortName} is possible. Workloads from outside the {smproductshortname} must use the external domain via OpenShift Routing.
 
 . Apply the `Gateway` resources:
 +

From 4743483dc36e380a781d4b70c8342b55dffe867d Mon Sep 17 00:00:00 2001
From: Reto Lehmann <retocode@icloud.com>
Date: Thu, 20 Jul 2023 14:55:57 +0200
Subject: [PATCH 07/20] remove todo for monitoring resources

---
 .../service-mesh/common-service-mesh-network-isolation.adoc      | 1 -
 1 file changed, 1 deletion(-)

diff --git a/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc b/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc
index 8fd839bc..3d42e777 100644
--- a/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc
+++ b/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc
@@ -69,7 +69,6 @@ $ oc apply -f <filename>
 - One AuthorizationPolicy limiting directly incoming traffic in the tenants namespace
 - One AuthorizationPolicy limiting incoming traffic via activator in the `knative-serving` namespace
 - One AuthorizationPolicy allowing Kubernetes to call PreStopHooks on Knative Services
-- One AuthorizationPolicy allowing cluster monitoring to… // TODO
 +
 As it is a cumbersome task to create all those policies by hand, you can use our link:https://github.com/openshift-knative/knative-istio-authz-chart[helm based generator] to create the necessary resources for each tenant:
 +

From d6e8df75c9f8cf1243b633dfd684ff7519c0869f Mon Sep 17 00:00:00 2001
From: Reto Lehmann <retocode@icloud.com>
Date: Mon, 24 Jul 2023 14:23:48 +0200
Subject: [PATCH 08/20] add resources for setup

---
 ...common-service-mesh-network-isolation.adoc | 200 +++++++++++++++++-
 1 file changed, 191 insertions(+), 9 deletions(-)

diff --git a/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc b/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc
index 3d42e777..8538ebef 100644
--- a/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc
+++ b/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc
@@ -50,13 +50,195 @@ spec:
 +
 All the namespaces that are part of the Mesh must enforce mTLS in strict mode. This forces Istio to only accept connections with a client-certificate present and allows the `istio-proxy` to validate the origin using `AuthorizationPolicy`.
 +
-. For {serverlessproductname} internal components to work, the several `AuthorizationPolicies` are necessary in the `knative-serving` and the `knative-eventing` namespace. The necessary resources are available in link:https://github.com/openshift-knative/knative-istio-authz-chart/tree/main/setup[here]:
-
-- `deny-all-by-default.yaml` denies all traffic that is not explicitly allowed in `knative-serving` and `knative-eventing`
-- `allow-traffic-to-activator.yaml` allows traffic from `istio-system` and `knative-serving` to activator
-- `allow-traffic-to-autoscaler.yaml` allows traffic from `knative-serving` to autoscaler
-- `allow-probe-kafka-controller.yaml` allows health probes for kafka components in `knative-eventing`
-- `allow-mt-channel-based-broker-to-channels.yaml` allows internal traffic for channel based brokers in `knative-eventing`
+. For {serverlessproductname} internal components to work, the several `AuthorizationPolicies` are necessary in the `knative-serving` and the `knative-eventing` namespace:
++
+[source,yaml]
+----
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: deny-all-by-default
+  namespace: knative-eventing
+spec: { }
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: deny-all-by-default
+  namespace: knative-serving
+spec: { }
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: allow-mt-channel-based-broker-ingress-to-imc-dispatcher
+  namespace: knative-eventing
+spec:
+  action: ALLOW
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: "imc-dispatcher"
+  rules:
+    - from:
+        - source:
+            namespaces: [ "knative-eventing" ]
+            principals: [ "cluster.local/ns/knative-eventing/sa/mt-broker-ingress" ]
+      to:
+        - operation:
+            methods: [ "POST" ]
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: allow-mt-channel-based-broker-ingress-to-kafka-channel
+  namespace: knative-eventing
+spec:
+  action: ALLOW
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: "kafka-channel-receiver"
+  rules:
+    - from:
+        - source:
+            namespaces: [ "knative-eventing" ]
+            principals: [ "cluster.local/ns/knative-eventing/sa/mt-broker-ingress" ]
+      to:
+        - operation:
+            methods: [ "POST" ]
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: allow-kafka-channel-to-mt-channel-based-broker-filter
+  namespace: knative-eventing
+spec:
+  action: ALLOW
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: "broker-filter"
+  rules:
+    - from:
+        - source:
+            namespaces: [ "knative-eventing" ]
+            principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" ]
+      to:
+        - operation:
+            methods: [ "POST" ]
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: allow-imc-to-mt-channel-based-broker-filter
+  namespace: knative-eventing
+spec:
+  action: ALLOW
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: "broker-filter"
+  rules:
+    - from:
+        - source:
+            namespaces: [ "knative-eventing" ]
+            principals: [ "cluster.local/ns/knative-eventing/sa/imc-dispatcher" ]
+      to:
+        - operation:
+            methods: [ "POST" ]
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: allow-probe-kafka-broker-receiver
+  namespace: knative-eventing
+spec:
+  action: ALLOW
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: "kafka-broker-receiver"
+  rules:
+    - from:
+        - source:
+            namespaces: [ "knative-eventing" ]
+            principals: [ "cluster.local/ns/knative-eventing/sa/kafka-controller" ]
+      to:
+        - operation:
+            methods: [ "GET" ]
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: allow-probe-kafka-sink-receiver
+  namespace: knative-eventing
+spec:
+  action: ALLOW
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: "kafka-sink-receiver"
+  rules:
+    - from:
+        - source:
+            namespaces: [ "knative-eventing" ]
+            principals: [ "cluster.local/ns/knative-eventing/sa/kafka-controller" ]
+      to:
+        - operation:
+            methods: [ "GET" ]
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: allow-probe-kafka-channel-receiver
+  namespace: knative-eventing
+spec:
+  action: ALLOW
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: "kafka-channel-receiver"
+  rules:
+    - from:
+        - source:
+            namespaces: [ "knative-eventing" ]
+            principals: [ "cluster.local/ns/knative-eventing/sa/kafka-controller" ]
+      to:
+        - operation:
+            methods: [ "GET" ]
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: allow-traffic-to-activator
+  namespace: knative-serving
+spec:
+  selector:
+    matchLabels:
+      app: activator
+  action: ALLOW
+  rules:
+    - from:
+        - source:
+            namespaces: [ "knative-serving", "istio-system" ]
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: allow-traffic-to-autoscaler
+  namespace: knative-serving
+spec:
+  selector:
+    matchLabels:
+      app: autoscaler
+  action: ALLOW
+  rules:
+    - from:
+        - source:
+            namespaces: [ "knative-serving" ]
+---
+----
+These policies:
+- Deny all traffic that is not explicitly allowed in `knative-serving` and `knative-eventing`
+- Allow traffic from `istio-system` and `knative-serving` to activator
+- Allow traffic from `knative-serving` to autoscaler
+- Allow health probes for kafka components in `knative-eventing`
+- Allow internal traffic for channel based brokers in `knative-eventing`
 +
 Make sure to apply all those rules to your cluster with
 +
@@ -75,8 +257,8 @@ As it is a cumbersome task to create all those policies by hand, you can use our
 [source,terminal]
 .Create resources per tenant with helm
 ----
-helm template oci://quay.io/pierdipi/knative-istio-authz-onboarding --version 0.1.0 --set "name=tenant-1" --set "namespaces={ns1, ns2}"
-helm template oci://quay.io/pierdipi/knative-istio-authz-onboarding --version 0.1.0 --set "name=tenant-2" --set "namespaces={ns3, ns4}"
+helm template oci://quay.io/openshift-knative/knative-istio-authz-onboarding --version 1.31.0 --set "name=tenant-1" --set "namespaces={ns1, ns2}"
+helm template oci://quay.io/openshift-knative/knative-istio-authz-onboarding --version 1.31.0 --set "name=tenant-2" --set "namespaces={ns3, ns4}"
 ----
 +
 And apply the generated resources to your cluster:

From 6cfb94fa2cda28bc9b15477043cefdf00c77808d Mon Sep 17 00:00:00 2001
From: Reto Lehmann <retocode@icloud.com>
Date: Wed, 26 Jul 2023 15:03:43 +0200
Subject: [PATCH 09/20] add block to verify setup

---
 ...common-service-mesh-network-isolation.adoc | 163 +++++++++++++++++-
 1 file changed, 161 insertions(+), 2 deletions(-)

diff --git a/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc b/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc
index 8538ebef..5ca86299 100644
--- a/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc
+++ b/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc
@@ -274,7 +274,166 @@ The helm chart has several options that can be passed to configure the generated
 ====
 
 
-.Verifying the {smproductshortname}
+.Verifying the configuration
+
+This verification is assuming that we have two tenants with one namespace each, all part of the `ServiceMeshMemberRoll`, configured with resources listed above.
+We can then use curl to verify the connectivity:
+
+. Deploy Knative Services in both tenants namespaces and a `curl` pod to run test commands:
++
+[source,terminal]
+----
+# Tenant 1
+cat <<-EOF | oc apply -f -
+apiVersion: serving.knative.dev/v1
+kind: Service
+metadata:
+  name: test-webapp
+  namespace: tenant-1
+  annotations:
+    serving.knative.openshift.io/enablePassthrough: "true"
+spec:
+  template:
+    metadata:
+      annotations:
+        sidecar.istio.io/inject: 'true'
+        autoscaling.knative.dev/target-burst-capacity: "-1"
+    spec:
+      containers:
+        - image: docker.io/openshift/hello-openshift
+          env:
+            - name: RESPONSE
+              value: "Hello Serverless!"
+EOF
+
+cat <<-EOF | oc apply -f -
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: curl
+  namespace: tenant-1
+  labels:
+    app: curl
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: curl
+  template:
+    metadata:
+      labels:
+        app: curl
+      annotations:
+        sidecar.istio.io/inject: 'true'
+    spec:
+      containers:
+      - name: curl
+        image: curlimages/curl
+        command:
+        - sleep
+        - "3600"
+EOF
+
+# Tenant 2
+cat <<-EOF | oc apply -f -
+apiVersion: serving.knative.dev/v1
+kind: Service
+metadata:
+  name: test-webapp
+  namespace: tenant-2
+  annotations:
+    serving.knative.openshift.io/enablePassthrough: "true"
+spec:
+  template:
+    metadata:
+      annotations:
+        sidecar.istio.io/inject: 'true'
+        autoscaling.knative.dev/target-burst-capacity: "-1"
+    spec:
+      containers:
+        - image: docker.io/openshift/hello-openshift
+          env:
+            - name: RESPONSE
+              value: "Hello Serverless!"
+EOF
+----
+
+. Verification
++
+[source,terminal]
+----
+# Test tenant-1 -> tenant-1 via cluster local domain (allowed)
+oc exec deployment/curl -n tenant-1 -it -- curl -v http://test-webapp.tenant-1:80
+
+HTTP/1.1 200 OK
+content-length: 18
+content-type: text/plain; charset=utf-8
+date: Wed, 26 Jul 2023 12:49:59 GMT
+server: envoy
+x-envoy-upstream-service-time: 9
+
+Hello Serverless!
+
+
+# Test tenant-1 -> tenant-1 via external domain (allowed)
+EXTERNAL_URL=$(oc get ksvc -n tenant-1 test-webapp -o custom-columns=:.status.url --no-headers)
+oc exec deployment/curl -n tenant-1 -it -- curl -ik $EXTERNAL_URL
+
+HTTP/2 200
+content-length: 18
+content-type: text/plain; charset=utf-8
+date: Wed, 26 Jul 2023 12:55:30 GMT
+server: istio-envoy
+x-envoy-upstream-service-time: 3629
+
+Hello Serverless!
+
+
+# Test tenant-1 -> tenant-2 via cluster local domain (not allowed)
+oc exec deployment/curl -n tenant-1 -it -- curl -v http://test-webapp.tenant-2:80
+
+* processing: http://test-webapp.tenant-2:80
+*   Trying 172.30.73.216:80...
+* Connected to test-webapp.tenant-2 (172.30.73.216) port 80
+> GET / HTTP/1.1
+> Host: test-webapp.tenant-2
+> User-Agent: curl/8.2.0
+> Accept: */*
+>
+< HTTP/1.1 403 Forbidden
+< content-length: 19
+< content-type: text/plain
+< date: Wed, 26 Jul 2023 12:55:49 GMT
+< server: envoy
+< x-envoy-upstream-service-time: 6
+<
+* Connection #0 to host test-webapp.tenant-2 left intact
+RBAC: access denied
+
+
+# Test tenant-1 -> tenant-2 via external domain (allowed)
+EXTERNAL_URL=$(oc get ksvc -n tenant-2 test-webapp -o custom-columns=:.status.url --no-headers)
+oc exec deployment/curl -n tenant-1 -it -- curl -ik $EXTERNAL_URL
+
+HTTP/2 200
+content-length: 18
+content-type: text/plain; charset=utf-8
+date: Wed, 26 Jul 2023 12:56:22 GMT
+server: istio-envoy
+x-envoy-upstream-service-time: 2856
+
+Hello Serverless!
+----
+
+. Cleanup
++
+Delete the resources that were created for verification:
++
+[source,terminal]
+----
+oc delete deployment/curl -n tenant-1
+oc delete ksvc/test-webapp -n tenant-1
+oc delete ksvc/test-webapp -n tenant-2
+----
 
- TODO
 

From 8711a956dc97c8ea15947660b149e2f5e69b6ffa Mon Sep 17 00:00:00 2001
From: Reto Lehmann <retocode@icloud.com>
Date: Wed, 2 Aug 2023 09:00:14 +0200
Subject: [PATCH 10/20] use updated diagram of tenancy diagram

---
 .../images/service-mesh/multi-tenancy-service-mesh.drawio.svg   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/serverless-common/assets/images/service-mesh/multi-tenancy-service-mesh.drawio.svg b/modules/serverless-common/assets/images/service-mesh/multi-tenancy-service-mesh.drawio.svg
index 181aa5c0..63f07145 100644
--- a/modules/serverless-common/assets/images/service-mesh/multi-tenancy-service-mesh.drawio.svg
+++ b/modules/serverless-common/assets/images/service-mesh/multi-tenancy-service-mesh.drawio.svg
@@ -1,4 +1,4 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!-- Do not edit this file with editors other than diagrams.net -->
 <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
-<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="699px" height="534px" viewBox="-0.5 -0.5 699 534" content="&lt;mxfile host=&quot;drawio-plugin&quot; modified=&quot;2023-05-25T11:42:29.848Z&quot; agent=&quot;5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36&quot; etag=&quot;QiMYJZly1xpERPDJCFA4&quot; version=&quot;20.5.3&quot; type=&quot;embed&quot;&gt;&lt;diagram id=&quot;SIUPIMZeMRZCnwsOkFFw&quot; name=&quot;Page-1&quot;&gt;7Vxbj6M2FP41eWilIC42kMfpzO626laadqV2++iAk7hLcApOJtlfXxswAdvJkASSjDpTqQu2seGc71x9nJH3uNx+ytBq8RuNcTJy7Xg78p5GrutA6PN/RMtOtgSgbJlnJK7a9g1fyHdcNdpV65rEOG8NZJQmjKzajRFNUxyxVhvKMvrSHjajSXvVFZpjreFLhBK99S8Ss0XZGkJ73/4zJvOFXNmxq54lkoOrhnyBYvrSaPI+jLzHjFJWXi23jzgR1JN0KZ/7eKC3frEMp6zTA9V7bFCyrj5u5PoJf/anacav5uLqmi0MpyhlY0fv+dGSfVa+iawoWecMZ1ZCOV8qYrKd5FBG12mMxUfa/NGXBWH4ywpFoveFg5K3Ldgy4XcOv5yRJHmkCc34fUpTPuinGOWL4nHRn7OMfsNyxMj1Qnfq+X7x/iq5Kw5scMbwttFUkf8TpkvMsh0fUvWOoeTBTjZItLzsseX4VduiiSvZiCo8z+vZ9yznFxXXDyDAuU8EmN8CLQXv0mm+aiLCvTki/CjE01lPiAjsmyJicmtAtJg8EhpMa/qWIkY2eJzjbEPS+ZW5HftTHw4m/z7sym2nB26HN+U2yRmh43zHBXd5ZSZO/MBDfTFRE9nrMtHTmPiLICxv+iWdZzjPSylSiP8JMfyCdv3RnVMVOzHEweD09kOV3p6B3q6B3n1oSKCR+yHi6ggxmplALxRWwY/njG77JfdsNnOjaHAdBUJ4Q3L7h1WUJPKvX/58lI18uume+C3K2yUzfl/jNTYzg6/Mowj8OiNQvipDixnZCuapnIkRDmdGzvTqK/i+IghgonMmNDAm7IExwWmM0Q1Bk1W34hPEYQwG9/JBcEM+Oa6BUSpB0/hBhMb8LkpQnpOoTce2luKUyHZfmzd/ixvLhfL+advsfdpVd6dTv+yRcbZ7jB8MZXPMWiYRx61QXmdQg/zQQH7ZluGk8Dhb65l4Uq3wTAl/uYaDAFWD5cD2JDldZxGunmuG7NpUqsjXylhOVdJBm6qASf3p3ZCjexYXIqcPAOAtYV+r2cV1E3v8dg89cbMbXQjZg3ArOdaCWxOB4L4QCDXYqJ5nZwTWuusgmHtEoO5s3QMCJZicFpjORVITNsF9wcZTDRcMzoZNoHqR9nCwgXcJG6PiCroqLssGQFFe4SuQK+6ecUY47XB2oUa7M2hCzaaqeLpPaOrxjPtDz+B8Pfg4wa16ld8VFW0LuKHfoqOjO7mDIkJNCwDIX8qZ7P/8cwESOtrMnQCyn0oOpLNZji8GkZ63cy4F0SEPKTjVqT8HfUbVeFQvdtJivq7FuvplkvVcyzqhe10ca9EiEMJl13/KlJ1hDNU85SsTXxfUMoHUJ6gHw6Z1Xrjxf4k23qZtNqR2NfyJrA+JUPIZTXHyTHPCCE1515QyRpechXLAQ0LmooNRJSeVL9BKTLbczkWFhDVFHMTW1pDeDSNsTu9OQygskEA7Q9ULHIXPSdleoNo6aEFNAcrIrL2bcRgpXbNVru66g3vSArUbXmkCxxJqs6MHD1y3rQ+qZ4+58Hwq1YM/360Huuro6tbXbp4dBmELIc51raOqW+Ckt5BUm+rKFlCPDc6wgOfanl6l5ARbGa2zTb1R2wnFBreua8K3RrE3sYM28+W0V4tWHCtwYOCGAXShp0UYfsjje+AGjgsC4Ne52MudPggDq5sJ5TATG8T1sJUYkB/5pkBLF7Ur0PhFOeeQUuR12DF8WLMFzcj3wng+04REu277VLNMGPmHMytXtPtikhktiLAXcf/fNZUd47wogOQr2o692paPVf3qi+YrlBonmtKtmEfUyhQzTWkW42zMm8s3XXL+k7Tsk4twIYzj+om6tXxUaSxedIMyIuqx0vWSm6aoHELSBb9hhmEY5WzMXR+UHhrJ1Qtm0cLQnZAUj6VQar3SAxuj0gUrvhjlWDyl0M8uNGiLVoyrNEHFb7iAPsvWnJgayVO0xLnYdswbKCnp/86TwXiyWqcRW5cery4FhVi2JQw2Zm4Ul8on4ZOhApF2le8Fzbk2LD6ltdDxWtWji78CJt5cKgvZrLgGr+yGmyOPmEYcHalUOFXBtWNwCeqApGLiU4Jn7Gh80kdAoqX1AlN1VWAw1dJPvai4qkOZw7s1eddc79bkzfGkD2viXs+aGOvc363JqektNRy6rjUxlde/lQzj2D26UXhSjtFT4sRA32IZKsMITKeeDudYqnLyg8nFdhLEqXD/ES1JIr7uZ5xssGCXSSD4fYPm5R7MqJUxrJM2fzezO71s97fSJ37H/MmVkiMAtlOMepVb9ySfdsLCdztlP85IPQDTcaq7glY3NNxZqYenbkn43rlboHot+4BoOHpSwCbiXAZbYOHtcE9JsCURtpaTVfzvW8oxIgfsDX2GW2a/ToyqMDvtXMGZsCr/DHYFiv9MdsUv/noyI56nijYw2HJgQCbwD4Owsx05rcjsFnbkjGz8gdrGfnaugWH/6d62rlVMQbXU5wRdo+2CD1aqDfSKIO+etk1PKZ7oBKWTN3ygP/E05TCoD+NPLOnW7sE0sSbgXDz5ymwgnHTC00AbLeBNBzMeNEKtFqQTohnfV/hiON0zVDQDT4tmrlTqfFCE70XNa0d23bOrCLRDeNpU/al5eOT3GmQe5zOec4Z3S0BrUOGYZ4r8tdheeTGG89ZKFkeV6yWJY7GI0RVVADhYkHPJmW7P1YXa5Fr2caIbDn7w6rol4jcT6sC2VCV7gVwbZutRtPVosd6xLLLCqBieL+hLkbxGbCECSM6Nso++cGa/i/Ohk9JwoippQ01jMBlInvVQsd4/MOwzaKpbVIHZ+x0HOyp2gaISEaT8kYfxXP6gg42E+rdRI9cQkwxHLNlZ+tyuce6Usv0K+53z5kT2H/gffi1Qx9+hPaz8ZY+VOLxtWNI7ackNQfpXXrQ+OGP9mpqmlVErrVMvPXIfS+CINE6R7tFzPiLNU8hzlfuhs1HnpI/1Lu/d5T0AhipmODFIPARqfVwHmee3+x9uK9X//vfvvA//AQ==&lt;/diagram&gt;&lt;/mxfile&gt;"><defs/><g><rect x="248" y="250" width="160" height="160" fill="none" stroke="#82b366" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 330px; margin-left: 249px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><br /><br /><br /><br /><br /><br /><br />tenant-1<br />*.tenant-1.svc.cluster.local</div></div></div></foreignObject><text x="328" y="334" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">tenant-1...</text></switch></g><rect x="58" y="250" width="160" height="160" fill="none" stroke="#6c8ebf" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 330px; margin-left: 59px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><br /><br /><br /><br /><br /><br /><br />tenant-2<br /> *.tenant-2.svc.cluster.local</div></div></div></foreignObject><text x="138" y="334" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">tenant-2...</text></switch></g><rect x="248" y="100" width="160" height="110" fill="none" stroke="#d6b656" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 155px; margin-left: 249px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><br /><br /><br /><br /><br /><br />    knative-serving</div></div></div></foreignObject><text x="328" y="159" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">knative-serving...</text></switch></g><rect x="58" y="100" width="160" height="110" fill="none" stroke="#9673a6" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 155px; margin-left: 59px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><br /><br /><br /><br /><br /><br />istio-system</div></div></div></foreignObject><text x="138" y="159" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">istio-system...</text></switch></g><rect x="78" y="120" width="120" height="60" fill="#e1d5e7" stroke="#9673a6" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 118px; height: 1px; padding-top: 150px; margin-left: 79px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Istio Ingress <br />Gateway</div></div></div></foreignObject><text x="138" y="154" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Istio Ingress...</text></switch></g><rect x="273" y="120" width="120" height="60" fill="#fff2cc" stroke="#d6b656" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 118px; height: 1px; padding-top: 150px; margin-left: 274px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Activator<br />+ IstioProxy</div></div></div></foreignObject><text x="333" y="154" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Activator...</text></switch></g><ellipse cx="138" cy="300" rx="40" ry="40" fill="#dae8fc" stroke="#6c8ebf" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 78px; height: 1px; padding-top: 300px; margin-left: 99px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>KSVC</b> IstioProxy + QueueProxy</div></div></div></foreignObject><text x="138" y="304" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">KSVC IstioPro...</text></switch></g><ellipse cx="328" cy="300" rx="40" ry="40" fill="#d5e8d4" stroke="#82b366" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 78px; height: 1px; padding-top: 300px; margin-left: 289px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>KSVC<br /></b>IstioProxy + QueueProxy</div></div></div></foreignObject><text x="328" y="304" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">KSVC...</text></switch></g><path d="M 8 135 L 69.76 135" fill="none" stroke="#82b366" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 75.76 135 L 67.76 139 L 69.76 135 L 67.76 131 Z" fill="#82b366" stroke="#82b366" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><path d="M 198 135 L 264.76 135" fill="none" stroke="#82b366" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 270.76 135 L 262.76 139 L 264.76 135 L 262.76 131 Z" fill="#82b366" stroke="#82b366" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><path d="M 388 180 L 358.98 263.93" fill="none" stroke="#82b366" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 357.02 269.6 L 355.85 260.73 L 358.98 263.93 L 363.41 263.35 Z" fill="#82b366" stroke="#82b366" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><path d="M 198 165 L 286.39 275.96" fill="none" stroke="#82b366" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 290.13 280.65 L 282.01 276.89 L 286.39 275.96 L 288.27 271.9 Z" fill="#82b366" stroke="#82b366" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><path d="M 178 299.58 L 268.76 299.97" fill="none" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 274.76 299.99 L 266.75 303.96 L 268.76 299.97 L 266.78 295.96 Z" fill="#6c8ebf" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 290px; margin-left: 249px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">2)</div></div></div></foreignObject><text x="249" y="293" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">2)</text></switch></g><path d="M 166.28 271.72 L 267.18 170.82" fill="none" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 271.42 166.58 L 268.59 175.07 L 267.18 170.82 L 262.93 169.41 Z" fill="#6c8ebf" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 230px; margin-left: 208px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">1)</div></div></div></foreignObject><text x="208" y="233" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">1)</text></switch></g><path d="M 198 150 L 264.76 150" fill="none" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 270.76 150 L 262.76 154 L 264.76 150 L 262.76 146 Z" fill="#6c8ebf" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 150px; margin-left: 236px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">1)</div></div></div></foreignObject><text x="236" y="153" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">1)</text></switch></g><path d="M 274 294.5 L 278.08 294.5 L 281 297.76 L 283.92 294.5 L 288 294.5 L 283.04 300 L 288 305.5 L 283.92 305.5 L 281 302.24 L 278.08 305.5 L 274 305.5 L 278.67 300 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><path d="M 278.28 180.06 L 317.83 252.84" fill="none" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 320.69 258.12 L 313.36 253 L 317.83 252.84 L 320.39 249.18 Z" fill="#6c8ebf" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 223px; margin-left: 303px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">4)</div></div></div></foreignObject><text x="303" y="226" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">4)</text></switch></g><path d="M 98 300 Q -12 230 71.84 155.47" fill="none" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 76.33 151.49 L 73.01 159.79 L 71.84 155.47 L 67.69 153.81 Z" fill="#6c8ebf" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 220px; margin-left: 38px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">1)</div></div></div></foreignObject><text x="38" y="223" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">1)</text></switch></g><path d="M 346.28 11.14 L 346.28 78 L 178 78 L 178 0 L 322.24 0 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><path d="M 322.24 0 C 324.2 2.61 320.98 5.29 313.66 7.16 L 346.28 11.38" fill="none" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe flex-start; width: 168px; height: 1px; padding-top: 39px; margin-left: 180px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: left;"><div style="display: inline-block; font-size: 10px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>AuthorizationPolicy<br /></b>from:<br />    <font style="font-size: 10px;"><span class="token key atrule" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;">namespaces</span><span class="token punctuation" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;">: ["tenant-1"]<br />to:<br />  hosts: ["*.tenant-1.svc.cluster.local"]<br /></span></font></div></div></div></foreignObject><text x="180" y="42" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="10px">AuthorizationPolicy...</text></switch></g><path d="M 526.28 11.14 L 526.28 78 L 358 78 L 358 0 L 502.24 0 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><path d="M 502.24 0 C 504.2 2.61 500.98 5.29 493.66 7.16 L 526.28 11.38" fill="none" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe flex-start; width: 168px; height: 1px; padding-top: 39px; margin-left: 360px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: left;"><div style="display: inline-block; font-size: 10px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>AuthorizationPolicy<br /></b>from:<br />    <font style="font-size: 10px;"><span class="token key atrule" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;">namespaces</span><span class="token punctuation" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;">: ["tenant-2"]<br />to:<br />  hosts: ["*.tenant-2.svc.cluster.local"]<br /></span></font></div></div></div></foreignObject><text x="360" y="42" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="10px">AuthorizationPolicy...</text></switch></g><path d="M 275 178 L 279.08 178 L 282 181.26 L 284.92 178 L 289 178 L 284.04 183.5 L 289 189 L 284.92 189 L 282 185.74 L 279.08 189 L 275 189 L 279.67 183.5 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" transform="rotate(-22,282,183.5)" pointer-events="all"/><path d="M 300 120 L 263 78" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 374 119 L 409.36 78" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><rect x="428" y="110" width="140" height="46" fill="#f5f5f5" stroke="#666666" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 138px; height: 1px; padding-top: 133px; margin-left: 429px;"><div data-drawio-colors="color: #333333; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 10px; font-family: Helvetica; color: rgb(51, 51, 51); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Activator is the last place we know the "real" source</div></div></div></foreignObject><text x="498" y="136" fill="#333333" font-family="Helvetica" font-size="10px" text-anchor="middle">Activator is the last place...</text></switch></g><path d="M 428 133 L 393 150" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 198 150 L 290.55 254.83" fill="none" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 294.52 259.32 L 286.23 255.97 L 290.55 254.83 L 292.22 250.68 Z" fill="#6c8ebf" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 237px; margin-left: 275px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">3)</div></div></div></foreignObject><text x="275" y="240" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">3)</text></switch></g><path d="M 292 260 L 296.08 260 L 299 263.26 L 301.92 260 L 306 260 L 301.04 265.5 L 306 271 L 301.92 271 L 299 267.74 L 296.08 271 L 292 271 L 296.67 265.5 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" transform="rotate(-35,299,265.5)" pointer-events="all"/><path d="M 58 460 L 89.76 460" fill="none" stroke="#82b366" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 95.76 460 L 87.76 464 L 89.76 460 L 87.76 456 Z" fill="#82b366" stroke="#82b366" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><rect x="58" y="430" width="40" height="10" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe flex-start; width: 38px; height: 1px; padding-top: 435px; margin-left: 60px;"><div data-drawio-colors="color: #000000; " style="box-sizing: border-box; font-size: 0px; text-align: left;"><div style="display: inline-block; font-size: 10px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>Legend<br /></b></div></div></div></foreignObject><text x="60" y="438" fill="#000000" font-family="Helvetica" font-size="10px">Legend&#xa;</text></switch></g><path d="M 58 479.89 L 89.76 479.89" fill="none" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 95.76 479.89 L 87.76 483.89 L 89.76 479.89 L 87.76 475.89 Z" fill="#6c8ebf" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><rect x="99" y="455" width="179" height="10" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe flex-start; width: 177px; height: 1px; padding-top: 460px; margin-left: 101px;"><div data-drawio-colors="color: #000000; " style="box-sizing: border-box; font-size: 0px; text-align: left;"><div style="display: inline-block; font-size: 10px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">tenant-1: all shown paths are allowed</div></div></div></foreignObject><text x="101" y="463" fill="#000000" font-family="Helvetica" font-size="10px">tenant-1: all shown paths are allow...</text></switch></g><rect x="99" y="475.5" width="599" height="54.5" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe flex-start; width: 597px; height: 1px; padding-top: 503px; margin-left: 101px;"><div data-drawio-colors="color: #000000; " style="box-sizing: border-box; font-size: 0px; text-align: left;"><div style="display: inline-block; font-size: 10px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">tenant-2: <br />1) tenant-2 can call ingress-gateway and activator directly.<br />2) tenant-2 can not call tenant-1 directly. Rejected in tenant-1 istio-proxy.<br />3) tenant-2 can not call tenant-1 via ingress-gateway. Rejected in tenant-1 istio-proxy.<br />4) tenant-2 can not call tenant-1 via activator. Rejected in activator istio-proxy, as this is the last known place of the "real" source.</div></div></div></foreignObject><text x="101" y="506" fill="#000000" font-family="Helvetica" font-size="10px">tenant-2:...</text></switch></g></g><switch><g requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"/><a transform="translate(0,-5)" xlink:href="https://www.diagrams.net/doc/faq/svg-export-text-problems" target="_blank"><text text-anchor="middle" font-size="10px" x="50%" y="100%">Text is not SVG - cannot display</text></a></switch></svg>
\ No newline at end of file
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="677px" height="526px" viewBox="-0.5 -0.5 677 526" content="&lt;mxfile host=&quot;drawio-plugin&quot; modified=&quot;2023-08-02T06:46:38.175Z&quot; agent=&quot;5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36&quot; etag=&quot;oryNG41NsIzzjCH34zUl&quot; version=&quot;20.5.3&quot; type=&quot;embed&quot;&gt;&lt;diagram id=&quot;SIUPIMZeMRZCnwsOkFFw&quot; name=&quot;Page-1&quot;&gt;7Vxbb+M2Fv41BtoFLOhGSnpMM51psb1kd4Dd6SMt0bY2suhSdGL31y8pibZ4sSMrsp2ZJgNMJN7F850rDzMJ7lfbTxStl7+SDBcT3822k+DDxPe9KIL8lyjZyRLoNiULmmdt2aHgc/4Xbgtls02e4UppyAgpWL5WC1NSljhlShmilDyrzeakUGddowU2Cj6nqDBL/5tnbNmUxsA9lP+E88VSzuy5bc0KycZtQbVEGXnuFAU/ToJ7Sghrnlbbe1yI3ZP70vT7eKR2vzCKS9arQ7uOJ1Rs2o+b+LDgfX+YUf60EE/XLGG4RCWbembNPxxZ51RPqZMWm4ph6hSE06XdTLaTFKJkU2ZYfKTLuz4vc4Y/r1Eqap85KHnZkq0K/ubxx3leFPekIJS/l6TkjX7IULWsu4v6ilHyiGWLiR/E/iyAsF6/vt0tBZ4wZXjbKWq3/xMmK8zojjdpa6dA0mAnCyRang/Y8iSHLLu4koWoxfNiP/qB5PyhpfoRBHhvEwH2VaCVoF05q9ZdRPg3RwRMYzybj4SIyL0pIpJbA0Ih8kRIMKPosUQsf8LTCtOnvFxcm9r1j+hJStYpb34uJRcg6IsCbwQUxDdFQV6xnEyrHWfo1bdIXIPFr0vcwCDuz2LDedHP5YLiqmq4TiPKJ8TwM9qNRw++q3Mg/t2MDjDW6RBY6OBb6DCGpA0NMtylXKwhRqiNSYTgq+n0QMn2myJDGIMbkgEeF3Vy8//5+T/3spAPNzsQRaGI2xDpXxu8wXYi8Zm5l4JfJhCq1o3rMs+3gqg6xTKE43l6cVsEQo1BwsSkTGwhTDwCYaLzCGMqlC6pbkUngOMsvLgXEUY3pJNn4yB9Q8vsTrje/C0tUFXlqbqPqvTSxVOc4tQK9lkMQuDua6Q77p3aVpwp7v3RTXUdN3F9ZVsTY0+BZU9lGcVFbaYqs9s2ul3CA8n5UjsmoK6d+Kc6oZccfqA6ZkU2NMXtMF23Xx85jD1jZHUohugCsxNDyYZkPq+w0qaGy347+yHIZm6OiSDscUaMbAhKYBQgaEUQBw7dfeEvUw4FN5Qlf4gpnCDeN/mwbSdt3nbdtwdMc74RmLaFR1HZ0E7RSA0NFFuhL3b5ij0gx9lr1euiN9HRq8ua3nAFoe4R+zeFq5z9jcF1m7MvnecGpz5oXw8oFS8KSL90X7rdTqC7F5CD4UC+FkqB7gG4YKhQjXQrVh/qCEqHIND0HQwECvMhT1HxC5rh4oFUOTeASl41I4yRFSehbHBX5AtRwYhm3FRLtBaDrbYLEcp3ZojD2NkOUtCUMNQu4CR8znIbQl2LAQcYQs4LTfh4J5DS1+zxwdcjBXoKAU8RAmNIgNCUANF5qozr3jiKFUJ711VkuojYa7bXiwhjqFcoMg40EZ3Zt1iLHtWJDwt0tQpd9/T6jR5SMx9YplnFULkW9HDG7zZsSWj+Vy1OHkiRp7t+LuCcCrF3NzDobLzXg4iwiMLy8M8NkRXTqj675DO6nrveNt3aen2h1RqV1oFmZCvGEWHueqQZoRmmU17crHTFEZOXTZ2chHNllu177EubrlphvdAnRHNxlFJuVtxgTZsmebnkL8zSDKOKTbkyQOWxllwwYZYuLdVFXuKp5FOjVuqkKWqUUv3FqMKil7Z/bi1Rlb1iXBiKXXzENSMwuuGbaWx5iVa4Eh591UFJs//vNLkYTdabMmWbxgYwuaBmS5XDQGfkzrmw7Ak+WA4PSV/+XpKKy8b6U5SJTh8zn5z8BTDx4kZYyGLNVHgh0GS3xTKScnSUUuC0uRLeqRhKS8QPBZ6zkxbbGCaaEcKIbAcdkUV7S5X/qnOOHhHEd23yLrnetclXR5MxtIl/PW1iTVF51ybnOvz6sfl1tYktM+bvFnMJoBZzga4ZVr5UxCU8L+7a5nscDbeYwROB+o9olRfi637CxRMWxLKxg3oa7tY/k2441dkHUP/oBlZGOSvoRlOkx/xWAqohiDWABIOjJUYKFPR7RUsGBB5CWx7km4JWPzT0Da5dCQ2BHqKFgTcUDUaSyAXRcF5o9xaCpg3ziqNJXzvx8ePJyWgvf9FFjZITd35ykOj+gBgfr6zH4B6KKgyTJJ6o50sXPD21HJ8mb4stfD2tBgbBQLYwh3L7hZSHsMWlj+l7ZDX1PfGITh959EJS0BM1+5MKAJPAsIYuqm1h4kS+CgAAEicJh0pZqI0WxkkvOF3oqD38mo3uaQCsUNvz0RmuD9SSOWwJXpeyu8GJSyLSA/0FLzjrtz5wrwAaqufgZClEvnFKVnUmv1vH1bj03vvo7ppkBs35vjGNhgpFWpVsSf/WPFYdG6s8y8Qk1sQ/TXhdzKR7TSp54JsOWRhaZNAYmeTATCUfVyNcOfXvSmIbJpFKNF8WnC2wIXhpqPH0PzDN4g6bpnV4sySs5eoDEwuDMMspTlmxc/jzv/H/+DMnuQgNqs2amx9rkZTr9Lkp0nv+pxzV09X3G6aL5i7DbReDZLa/bRnocBWgu46Jf9+Qlo+3zKu6sn7G/H/OXWK+x5I81zHSQggv3yXzfYtD0JFiJQQpDR/Ld/5GWHvsUE+rbeH+W1HB36rD53Y+4L6z2jItNuL27kHymwLfSivRhGi79q4UjqTt6ykrgWdaCyBJTAkXg+PCrPeFCv/1SmFwXuKYOVTSa+iTQ6WiwKpuhuT9Bi94HKEHNIPdcnXmoqrMuCGip5L3V2XGbayeruzZmU+Rf2TRR9dm9IAe0Hiik/l0IWcIjpBxeIyxojMZ61Wu+jtj9WCsIHb8OPQjzw8j7pbrNzagVj00gAT1q0N905bP5zo9nh/Cl7jO+OMI8Q247nhO4tEj/bRhB2E00cXsO+FACyPo8Pv7Seck/eW8jjvFGtQNPmnoPePW+utv7x09ZtbEioyQlLUx+NKtuBlKHxc14/6+Yc3Bfl2eIfr4O++Vs5q7HRdYPL753G88vtZYsl7TzuAMgsPtOcM2soiEE4ea5kFT39tzzhj2ki1NaUwnepCs7itpb+hEayeNfhQ40dDAJ9TPLW2jjedKwzd54+0rpHk4WO8ZBNeHGkxt/nr4G05N88Ofwgp+/D8=&lt;/diagram&gt;&lt;/mxfile&gt;"><defs/><g><rect x="217" y="250" width="160" height="160" fill="none" stroke="#82b366" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 330px; margin-left: 218px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><br /><br /><br /><br /><br /><br /><br />tenant-1<br />*.tenant-1.svc.cluster.local</div></div></div></foreignObject><text x="297" y="334" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">tenant-1...</text></switch></g><rect x="27" y="250" width="160" height="160" fill="none" stroke="#6c8ebf" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 330px; margin-left: 28px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><br /><br /><br /><br /><br /><br /><br />tenant-2<br /> *.tenant-2.svc.cluster.local</div></div></div></foreignObject><text x="107" y="334" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">tenant-2...</text></switch></g><rect x="217" y="100" width="160" height="110" fill="none" stroke="#666666" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 155px; margin-left: 218px;"><div data-drawio-colors="color: #333333; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(51, 51, 51); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><br /><br /><br /><br /><br /><br />    knative-serving</div></div></div></foreignObject><text x="297" y="159" fill="#333333" font-family="Helvetica" font-size="12px" text-anchor="middle">knative-serving...</text></switch></g><rect x="27" y="100" width="160" height="110" fill="none" stroke="#666666" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 155px; margin-left: 28px;"><div data-drawio-colors="color: #333333; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(51, 51, 51); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><br /><br /><br /><br /><br /><br />istio-system</div></div></div></foreignObject><text x="107" y="159" fill="#333333" font-family="Helvetica" font-size="12px" text-anchor="middle">istio-system...</text></switch></g><rect x="47" y="120" width="120" height="60" fill="#f5f5f5" stroke="#666666" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 118px; height: 1px; padding-top: 150px; margin-left: 48px;"><div data-drawio-colors="color: #333333; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(51, 51, 51); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Istio Ingress <br />Gateway</div></div></div></foreignObject><text x="107" y="154" fill="#333333" font-family="Helvetica" font-size="12px" text-anchor="middle">Istio Ingress...</text></switch></g><rect x="242" y="120" width="120" height="60" fill="#f5f5f5" stroke="#666666" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 118px; height: 1px; padding-top: 150px; margin-left: 243px;"><div data-drawio-colors="color: #333333; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(51, 51, 51); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Activator<br />+ IstioProxy</div></div></div></foreignObject><text x="302" y="154" fill="#333333" font-family="Helvetica" font-size="12px" text-anchor="middle">Activator...</text></switch></g><ellipse cx="107" cy="300" rx="40" ry="40" fill="#dae8fc" stroke="#6c8ebf" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 78px; height: 1px; padding-top: 300px; margin-left: 68px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>KSVC</b> IstioProxy + QueueProxy</div></div></div></foreignObject><text x="107" y="304" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">KSVC IstioPro...</text></switch></g><ellipse cx="297" cy="300" rx="40" ry="40" fill="#d5e8d4" stroke="#82b366" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 78px; height: 1px; padding-top: 300px; margin-left: 258px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>KSVC<br /></b>IstioProxy + QueueProxy</div></div></div></foreignObject><text x="297" y="304" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">KSVC...</text></switch></g><path d="M 147 299.58 L 239.63 299.97" fill="none" stroke="#b85450" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 244.88 300 L 237.87 303.47 L 239.63 299.97 L 237.9 296.47 Z" fill="#b85450" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><path d="M 133.03 269.63 L 237.38 147.7" fill="none" stroke="#9673a6" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 240.79 143.71 L 238.9 151.3 L 237.38 147.7 L 233.58 146.75 Z" fill="#9673a6" stroke="#9673a6" stroke-miterlimit="10" pointer-events="all"/><path d="M 167 135 L 235.63 135" fill="none" stroke="#9673a6" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 240.88 135 L 233.88 138.5 L 235.63 135 L 233.88 131.5 Z" fill="#9673a6" stroke="#9673a6" stroke-miterlimit="10" pointer-events="all"/><path d="M 243 294.5 L 247.08 294.5 L 250 297.76 L 252.92 294.5 L 257 294.5 L 252.04 300 L 257 305.5 L 252.92 305.5 L 250 302.24 L 247.08 305.5 L 243 305.5 L 247.67 300 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><path d="M 362 150 L 387 150 L 387 210 L 329.79 267.21" fill="none" stroke="#9673a6" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 326.07 270.93 L 328.55 263.5 L 329.79 267.21 L 333.5 268.45 Z" fill="#9673a6" stroke="#9673a6" stroke-miterlimit="10" pointer-events="all"/><path d="M 315.28 11.14 L 315.28 78 L 147 78 L 147 0 L 291.24 0 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><path d="M 291.24 0 C 293.2 2.61 289.98 5.29 282.66 7.16 L 315.28 11.38" fill="none" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe flex-start; width: 168px; height: 1px; padding-top: 39px; margin-left: 149px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: left;"><div style="display: inline-block; font-size: 10px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>AuthorizationPolicy<br /></b>from:<br />    <font style="font-size: 10px;"><span class="token key atrule" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;">namespaces</span><span class="token punctuation" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;">: ["tenant-1"]<br />to:<br />  hosts: ["*.tenant-1.svc.cluster.local"]<br /></span></font></div></div></div></foreignObject><text x="149" y="42" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="10px">AuthorizationPolicy...</text></switch></g><path d="M 495.28 11.14 L 495.28 78 L 327 78 L 327 0 L 471.24 0 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><path d="M 471.24 0 C 473.2 2.61 469.98 5.29 462.66 7.16 L 495.28 11.38" fill="none" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe flex-start; width: 168px; height: 1px; padding-top: 39px; margin-left: 329px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: left;"><div style="display: inline-block; font-size: 10px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>AuthorizationPolicy<br /></b>from:<br />    <font style="font-size: 10px;"><span class="token key atrule" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;">namespaces</span><span class="token punctuation" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;">: ["tenant-2"]<br />to:<br />  hosts: ["*.tenant-2.svc.cluster.local"]<br /></span></font></div></div></div></foreignObject><text x="329" y="42" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="10px">AuthorizationPolicy...</text></switch></g><path d="M 363 144 L 367.08 144 L 370 147.26 L 372.92 144 L 377 144 L 372.04 149.5 L 377 155 L 372.92 155 L 370 151.74 L 367.08 155 L 363 155 L 367.67 149.5 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><path d="M 269 120 L 232 78" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 343 119 L 378.36 78" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 415.32 108.35 L 376.68 123.1" fill="none" stroke="#666666" stroke-miterlimit="10" stroke-dasharray="1 1" pointer-events="stroke"/><path d="M 167 165 L 260.45 256.54" fill="none" stroke="#6c8ebf" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 264.2 260.22 L 256.75 257.82 L 260.45 256.54 L 261.65 252.82 Z" fill="#6c8ebf" stroke="#6c8ebf" stroke-miterlimit="10" pointer-events="all"/><path d="M 261 260 L 265.08 260 L 268 263.26 L 270.92 260 L 275 260 L 270.04 265.5 L 275 271 L 270.92 271 L 268 267.74 L 265.08 271 L 261 271 L 265.67 265.5 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" transform="rotate(-35,268,265.5)" pointer-events="all"/><rect x="27" y="424" width="440" height="10" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe flex-start; width: 438px; height: 1px; padding-top: 429px; margin-left: 29px;"><div data-drawio-colors="color: #000000; " style="box-sizing: border-box; font-size: 0px; text-align: left;"><div style="display: inline-block; font-size: 10px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>Legend: <br /></b>all calls coming from tenant-2 pod</div></div></div></foreignObject><text x="29" y="432" fill="#000000" font-family="Helvetica" font-size="10px">Legend:...</text></switch></g><path d="M 30 453 L 63.63 453" fill="none" stroke="#b85450" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 68.88 453 L 61.88 456.5 L 63.63 453 L 61.88 449.5 Z" fill="#b85450" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><rect x="77" y="440" width="599" height="85" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe flex-start; width: 597px; height: 1px; padding-top: 483px; margin-left: 79px;"><div data-drawio-colors="color: #000000; " style="box-sizing: border-box; font-size: 0px; text-align: left;"><div style="display: inline-block; font-size: 10px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">tenant-2 can not call tenant-1 directly. Rejected in tenant-1 istio-proxy.<br /><br />tenant-2 can not call tenant-1 via ingress-gateway. Rejected in tenant-1 istio-proxy.<br /><br />tenant-2 can not call tenant-1 via activator. Rejected in activator istio-proxy, as this is the last known place of the "real" source.<br />Note: as ingress-gateway can always call activator, this includes calls from tenant-2 via ingress-gateway to activator.</div></div></div></foreignObject><text x="79" y="486" fill="#000000" font-family="Helvetica" font-size="10px">tenant-2 can not call tenant-1 directly. Rejected in tenant-1 istio-proxy....</text></switch></g><path d="M 67 300 L 7 300 L 7 135 L 40.63 135" fill="none" stroke="#9673a6" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 45.88 135 L 38.88 138.5 L 40.63 135 L 38.88 131.5 Z" fill="#9673a6" stroke="#9673a6" stroke-miterlimit="10" pointer-events="all"/><path d="M 67 300 L 17 290 L 17 165 L 40.63 165" fill="none" stroke="#6c8ebf" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 45.88 165 L 38.88 168.5 L 40.63 165 L 38.88 161.5 Z" fill="#6c8ebf" stroke="#6c8ebf" stroke-miterlimit="10" pointer-events="all"/><path d="M 417 90 L 486 90 L 497 101 L 497 170.5 L 417 170.5 L 417 90 Z" fill="#fff2cc" stroke="#d6b656" stroke-miterlimit="10" pointer-events="all"/><path d="M 486 90 L 486 101 L 497 101 Z" fill-opacity="0.05" fill="#000000" stroke="none" pointer-events="all"/><path d="M 486 90 L 486 101 L 497 101" fill="none" stroke="#d6b656" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 78px; height: 1px; padding-top: 130px; margin-left: 418px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><span style="color: rgb(51, 51, 51); font-size: 10px;">Activator is the last place we know the "real" source</span></div></div></div></foreignObject><text x="457" y="134" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Activator is...</text></switch></g><path d="M 29 476.26 L 62.63 476.26" fill="none" stroke="#6c8ebf" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 67.88 476.26 L 60.88 479.76 L 62.63 476.26 L 60.88 472.76 Z" fill="#6c8ebf" stroke="#6c8ebf" stroke-miterlimit="10" pointer-events="all"/><path d="M 29 507 L 62.63 507" fill="none" stroke="#9673a6" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 67.88 507 L 60.88 510.5 L 62.63 507 L 60.88 503.5 Z" fill="#9673a6" stroke="#9673a6" stroke-miterlimit="10" pointer-events="all"/></g><switch><g requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"/><a transform="translate(0,-5)" xlink:href="https://www.diagrams.net/doc/faq/svg-export-text-problems" target="_blank"><text text-anchor="middle" font-size="10px" x="50%" y="100%">Text is not SVG - cannot display</text></a></switch></svg>
\ No newline at end of file

From e043ee135671fe0f2ee1ffd4f5b44cd2c4ef0b1e Mon Sep 17 00:00:00 2001
From: Pierangelo Di Pilato <pierdipi@redhat.com>
Date: Wed, 23 Aug 2023 09:36:06 +0200
Subject: [PATCH 11/20] Format document

Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>
---
 ...common-service-mesh-network-isolation.adoc | 23 ++++++++-----------
 1 file changed, 10 insertions(+), 13 deletions(-)

diff --git a/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc b/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc
index 5ca86299..532ff283 100644
--- a/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc
+++ b/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc
@@ -7,9 +7,9 @@
 
 {smproductshortname} can be used to isolate network-traffic between "tenants" using {smproductshortname} `AuthorizationPolicy` resources. {serverlessproductname} can also leverage this, using several {smproductshortname} resources.
 
-
 .High-level architecture
-The high-level architecture consists of `AuthorizationPolicies` in the `knative-serving`, `knative-eventing` and the tenants namespaces, while all components are part of the {smproductshortname}. The respective `istio-proxy` sidecars take care of enforcing those rules to isolate traffic between tenants.
+The high-level architecture consists of `AuthorizationPolicies` in the `knative-serving`, `knative-eventing` and the tenants namespaces, while all components are part of the {smproductshortname}.
+The respective `istio-proxy` sidecars take care of enforcing those rules to isolate traffic between tenants.
 
 *Knative Serving*
 
@@ -19,9 +19,7 @@ image::service-mesh/multi-tenancy-service-mesh.drawio.svg[]
 
 TODO pierdipi, please add your diagram here!
 
-
 .Prerequisites
-
 * You have access to an {product-title} account with cluster administrator access.
 
 * You have created a project or have access to a project with the appropriate roles and permissions to create applications and other workloads in {product-title}.
@@ -30,7 +28,6 @@ TODO pierdipi, please add your diagram here!
 
 
 .Securing the {smproductshortname}
-
 . As in the set-up documentation, make sure that all your tenants are part of the same `ServiceMeshMemberRoll` object as members:
 +
 [source,yaml]
@@ -48,7 +45,8 @@ spec:
    - tenant-2
 ----
 +
-All the namespaces that are part of the Mesh must enforce mTLS in strict mode. This forces Istio to only accept connections with a client-certificate present and allows the `istio-proxy` to validate the origin using `AuthorizationPolicy`.
+All the namespaces that are part of the Mesh must enforce mTLS in strict mode.
+This forces Istio to only accept connections with a client-certificate present and allows the `istio-proxy` to validate the origin using `AuthorizationPolicy`.
 +
 . For {serverlessproductname} internal components to work, the several `AuthorizationPolicies` are necessary in the `knative-serving` and the `knative-eventing` namespace:
 +
@@ -233,11 +231,10 @@ spec:
             namespaces: [ "knative-serving" ]
 ---
 ----
+
 These policies:
 - Deny all traffic that is not explicitly allowed in `knative-serving` and `knative-eventing`
-- Allow traffic from `istio-system` and `knative-serving` to activator
-- Allow traffic from `knative-serving` to autoscaler
-- Allow health probes for kafka components in `knative-eventing`
+- Allow traffic from `istio-system` and `knative-serving` to activator - Allow traffic from `knative-serving` to autoscaler - Allow health probes for kafka components in `knative-eventing`
 - Allow internal traffic for channel based brokers in `knative-eventing`
 +
 Make sure to apply all those rules to your cluster with
@@ -247,7 +244,8 @@ Make sure to apply all those rules to your cluster with
 $ oc apply -f <filename>
 ----
 
-. With this set up in place, cluster administrators can use their own `AuthorizationPolicies` to define which namespaces (tenants) can communicate with each other. Each namespace needs:
+. With this set up in place, cluster administrators can use their own `AuthorizationPolicies` to define which namespaces (tenants) can communicate with each other.
+Each namespace needs:
 - One AuthorizationPolicy limiting directly incoming traffic in the tenants namespace
 - One AuthorizationPolicy limiting incoming traffic via activator in the `knative-serving` namespace
 - One AuthorizationPolicy allowing Kubernetes to call PreStopHooks on Knative Services
@@ -270,12 +268,11 @@ $ oc apply -f <filename>
 +
 [NOTE]
 ====
-The helm chart has several options that can be passed to configure the generated resources. Please refer to the link:https://github.com/openshift-knative/knative-istio-authz-chart/blob/main/values.yaml[values.yaml] for a full reference.
+The helm chart has several options that can be passed to configure the generated resources.
+Please refer to the link:https://github.com/openshift-knative/knative-istio-authz-chart/blob/main/values.yaml[values.yaml] for a full reference.
 ====
 
-
 .Verifying the configuration
-
 This verification is assuming that we have two tenants with one namespace each, all part of the `ServiceMeshMemberRoll`, configured with resources listed above.
 We can then use curl to verify the connectivity:
 

From b5101c87da440758705684c78edc648cc041fa4a Mon Sep 17 00:00:00 2001
From: Pierangelo Di Pilato <pierdipi@redhat.com>
Date: Wed, 23 Aug 2023 09:44:34 +0200
Subject: [PATCH 12/20] Add Eventing diagram for Istio authorization policies

Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>
---
 .../multi-tenancy-service-mesh-Eventing.drawio.svg          | 4 ++++
 ...io.svg => multi-tenancy-service-mesh-Serving.drawio.svg} | 0
 .../service-mesh/common-service-mesh-network-isolation.adoc | 6 +++---
 3 files changed, 7 insertions(+), 3 deletions(-)
 create mode 100644 modules/serverless-common/assets/images/service-mesh/multi-tenancy-service-mesh-Eventing.drawio.svg
 rename modules/serverless-common/assets/images/service-mesh/{multi-tenancy-service-mesh.drawio.svg => multi-tenancy-service-mesh-Serving.drawio.svg} (100%)

diff --git a/modules/serverless-common/assets/images/service-mesh/multi-tenancy-service-mesh-Eventing.drawio.svg b/modules/serverless-common/assets/images/service-mesh/multi-tenancy-service-mesh-Eventing.drawio.svg
new file mode 100644
index 00000000..430ed33e
--- /dev/null
+++ b/modules/serverless-common/assets/images/service-mesh/multi-tenancy-service-mesh-Eventing.drawio.svg
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Do not edit this file with editors other than draw.io -->
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="851px" height="592px" viewBox="-0.5 -0.5 851 592" content="&lt;mxfile host=&quot;app.diagrams.net&quot; modified=&quot;2023-07-12T13:21:07.243Z&quot; agent=&quot;Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36&quot; etag=&quot;MzNSYjKCrewUaZhcTdKm&quot; version=&quot;21.5.0&quot; type=&quot;device&quot; pages=&quot;2&quot;&gt;&lt;diagram id=&quot;SIUPIMZeMRZCnwsOkFFw&quot; name=&quot;Serving&quot;&gt;7VxZk6M2EP41fkiqTHGIw4+zM3tVNlWTTFWy+yiDbMhg5IB87a+PBAiDJNtgY+ypzKQqCy0hQffXh1otj6zHxfZzCpfh7zhA8cjUg+3IehqZpmUCnf7DKLuCYlqGV1DmaRQUNGNPeIl+opJYPjhfRQHKGh0JxjGJlk2ij5ME+aRBg2mKN81uMxw3Z13COZIILz6MZerfUUDCgurZ+p7+BUXzkM9s6GXLAvLOJSELYYA3NZL1cWQ9phiT4mqxfUQx4x7nS/HcpwOt1YulKCGtHijfYw3jVflxI9OJ6bMfpim9mrOrISkEJTAhY0Nu+VXjbVq29jU/XmUEpVqMqVxKZpIdl1CKV0mA2Efq9NFNGBH0soQ+a91QUFJaSBYxvTPo5SyK40cc45TeJzihnT4EMAvzx1l7RlL8iniPkWl55tRynPz9RXaXElijlKBtjVSy/zPCC0TSHe1Sto5tjoVSG8YO14/NHluGU9LCOq44EZZ4nlej70VOL0qpH0CAcZ8IUL8FXDDZJdNsWUeEeXNEOL6HprOeEOEaN0XE5NaAaAh5xNRDIr0mkERrNM5Quo6S+cDSDpypYzP9j+EUxc84i0iEE9rmU6kj2ukDk3ZEYfhN6EAwmxvG0VzZ/aFsmGJC8OJaBsadtIWT0QOcvJvCKcoo58fZjlqGxcAomTiuBd8MSiSjMyxKLAklX5nkKOlrMk9RlhV2QJDuZ0jQBu76EywVGzICG7lHBdoHv52JyG9XwW9Twe8+bDyQ2P3gU4MKCU5VWsVMbi6P5xRv+2X3bDYzff+ole2D3WBi35DdzmEbyJn828tfj5xIh5vumd/gvF4I448VWiG1MOjMdB2ETgsCZsticTSLtkx4omQCiLyZUjK9RjuOK0Y7liwZTyEYrwfBuN0EI3uauqhuJScbeQG4+joFeDeUk2EqBCUyNAke2OKeucwYZlnkN/nYtFKUE+nue/3mB7vRTJvfP23rrU+78q4794sWnikwj8mDwHSOSMMloqCRjJAFVGO/rWA/p6UozmPmxnwqmZQzPOOIvlwtQHBEh2XbzUEyvEp9VD5XTzpIQ4kqXxH4UAUfpKFymFSf3g45cmRxIXL6AADaRuR7OTq7rmOP3u6hx252owshexBuhcQacKsjENwXAm0JNrYAm9YItPVTYO4RgXKwdQ8I5GAyGmA6F0l12Lj3BRtLdFyuuGBpDRvgiVEkuB5s7LuEjdJwuW0Nl6YDIBgv7wTk8rtnlEaUd2wZfJFFuzNo2pJPFfF0n9CU1zPmLz2D8/Tio0NYdVLeJRd1DZie0+CjIQe5V0WEmBagBPpS54JiYkijtQLFfijeEc9mGboYOHIy0LgUOIeiIrdrIH8O4pTm8KgtbGW5HNlytY3FuOipZTU8c1jsio6WEih29epPGLJ9tCbmJk8MPCyoedKoT1BfDZvaeUuM/8sK4236Y0U6V8Lfob2GahNB3F0oNiFqCM1CuGSDLbZzVtehTSEFsbZVpHQ9H6lTulPPBraeo53A8gWOwqdThheIvs7WbMkA8tVYcwfjMFLaZqhMOVwH92QFqtC7tASGxsxmy6gdmGbTHpTPHgvb6VBi1H5+KA9k09E2lK9CO91zvQZCjGG9o2RbrP6WoeJQA3tAeT1whgc81/f0qiUdfKW/StfV7m8rFCvCurZJ3grF1kR3m8Lnww62QjE017Bd03Nt07Y8YYXh6B5d0wPTNUzgAkec4PyYz5m4WjsPSlHG9oSrbkvWITvySa60teE0yuboRTHmNZXIarFJ+LAiIU6jn7nvfMZx5O/abU3NUubjH84st5Hu80FmOGfCXsOdf1eYN4yzvGqTzqgb+nJbPFa2iy+aLWGiHGiKt2wcVuCTjzTFaYDSMSUXb7qg8o+Soo1PQnUwCKonKmrxqEDMX3QN04gVkSWrBfVMftElSkJ6QxTdEMzImEY+MDnUk1oXRPxQ0RxHCRpznZRaeQA2Lgs/8i+GGWJPCfzTcwPa4BWhFo1x8RXl0CfpijJTYnkCFyhjO41ZDSUF/99lcjWZLFeJT1ZFwCtrQa6WTQ2zayPXKmL5k/aTomwSt9XvEGfUGuaf0pjoeIHt0clPgImSC2PByUJkcGIDXL3wCLBP0ZFwg1NWiRuKiKBaj/CKqhjNyNHlSR/rESmT56kKqlyFp+Zh6kX1VC0qG969ybvlevcmb04mfXgTczhvoizOf/cmXbNb4nJoWG+iOhPwVhKMY/Po3mCnFKMl5F14XdoACUYgbzMcS7GUJeoHc4vNHIhR4v4TXEQx+7ovKF4jJi6VQtD7Gs+LLZhRI2FY5Wx+1JM7vezwN7InTsv0yUC5EeB4AkDEwrb2OT7x1Ianm62yH2ekHoDqDNhdQasdGu6susMSdyRc99xsmFS+fk00HD0coEfsKAYJEYt2aKTExBIzX0vZyv73mlCM8A57R5+ihtuv8qIizLodJTgTVsWfwq/Y7D+VX3Hyv57ciAXEnQBP4cuBApnA6cGPdKsru4UfOSMZf6CcsZ+Na6DYfrq3nWsRU45Y6dPB1kib4FerzgZyQZB1T7umXWonWkGp836P7fCgc6gYxp1orimCaaJxZ9YdT9Jo/IjxbXYrwZtezFi2EmqVInVYzTjNSse94g+wmrG7rWYGqm4+qML3YualU7rg7CIC6dydNFR/Zt4+8iMTPI/zDc2pwNsloCWoUMwTQf8aYi+jGMUZbiGLI+r1IgoCNokyFBUAeLVFziXHuIEjK7UqtOzjELd99bNWw1aF30ypDV0TjewFeq0YrUfVlleL1Y5lnhWGefcsxJs8eQ1JyBaQVBpFG95QYb+r86HD0c5ENNKKkkZ3ciV9lpeK1f6BYp9BMt2sCEzf7zjofr4L5BeIiIrfdRjP+W846JCZfx3Wcg1BlCKfxDtNHttUjp1gsp9hv3NeH0j/E/1Drxnq6Ds0uxW/FrJk57UVU1qdplxHUP7Ki+YHZ8xfcVM1M2ykdaqpR+ZjARyWxsnTPXLOh6V5cn0ucz94Nmqd9NHe9b29vhtAUcRsTxQabwOxPq6FztPb/a/NFeZ//6N91sf/AA==&lt;/diagram&gt;&lt;diagram id=&quot;3ncZUew1-WGYs9gJAp3X&quot; name=&quot;Eventing&quot;&gt;7Vxrk6K4Gv411tnZKikIF/FjT/fM2TpnzlbXTtVePkaIktNIXIit7q/fJBAuSVS00XZmdaqmIYSQ5H3e+wsj93G5/XcOV8n/SIzSEbDj7ch9GgEAAnvC/vCWXdniuGBatixyHFdtTcNX/BeqGu2qdY1jVHQ6UkJSilfdxohkGYpopw3mOdl0u81J2n3qCi6Q1vA1gqne+huOaVK2hr7dtP+E8CKRT3bs6soSys5VQ5HAmGxaTe6nkfuYE0LLo+X2EaV89+S+lPd93nO1nliOMtrnhj+eP8GnAiH0n19//5Klz+HLb7NxNcorTNfVgkcgSNl4H2c5O1rwo2u2UJTBjPJpqVd+tOQ1q3iNrChdFxTlVkoYraoNpjtJtZyssxjxhdvs1k2CKfq6ghG/umFAZW0JXabszGGHc5ymjyQlOTvPSMY6fYxhkYjb+fWC5uQFyR4j4IZg5gaBmL/YPJRTtN1LFaemNeMSRJaI5jvWpbrBk0iqGMQNq/NNgzYnqNqSNtJkI6wQvqjHbkDADiocnIAJcJuYMM8CLjk1s1mxamMEvDtGgihEs/kwGAG3hxH3vTHSofuIiz6t6SWDFL+iMXpl+4yzxZUREAezwOdSIoUzlD6TAlNMMnYtYtNBrNNHDgrMoPlF6UAJfzZM8cLY/aG6MCOUkuVlIAZcHWKub4KYcymIeRrEfkERYgTNhyMkIxNyYh9NTAScBhMXDiTmwUTZX9/AwsCwvxfjYF/b3q+IbeKwmzufz0EUHeSOIXRo4N/Y5gYG8ahsK9vsB26fcg5PYVHgqLuT3W1nO5Hvfucn1sSX539UXcXJ07bd9WlXnSkEYVgPY++gUVNekcYuqEmEYs1SVgjE1kfWeYSO25sU5gtEjzG/TvAWQU3CSLblKBWiv+sNGIhcPeGZYLaQhllthVklvuQQ5TKru9omtzKQM93D9XKgch+0gQTm6mWfD8PJ0DAcAk1oi2kbyey0BjI7bnDMT3YjHf+u02aAsW3ZDjjCBeLsGeWY7SjXpaJxQFj7PWG9R45dB9Z+qJiRquruC2tfMRY8+7qwDjVYOx9OBnaDqDaabMs/UaBCFM6NGq72AHQWiNb5a204DghD8DbpWpHXttypjNtUFB6DQNOolxTAitz03DORqnnXAFiKLN+DVYYduGt1W/EOxf4pOypzBZ1oDDsoR1TulsOT+bxAF2GWqUEHVP6UdKce1jQhOf4Lcv/jmaQ42u33wtgk6hvnOfc/Hs500LRzMciciI1pODn4c03khXEhAoTsibZjr7blbdV1daLFCmbGgWZky8fhHqEYaUZyZveOWXM50yVDBM7Ka/IhjB3juL6jbi1vVRrFRF9hjnkkIlsvmdqJyi44S9gJNXRDsKBjWLDjfT2ZFEE0SgyXU5yhseRC7ar0GseVPylWDAvE71L2zxaCsrNXlEkuvosvSDADzddsM7Utz+ASFdwnKFooKff/TpOL0WS1ziK6Fkxr4ALBll0O81sjtwKt8k7/yRB7I335OyEFk49iKZ0HHY7bHny44SkrSBPTUxjemhV9/vH4wIdQyppLKSSbFdPiiA9cJHDFryy3C54UsRhlcWTFJGKwy6QkqzIdjsGkmIcREk6zjAClaE5NFsYs9LmCG8SHdtyu/jKFGCfG+E+4X7u/yYeW1uldc92l5F1zfVc0GUJzgetpLmM2aXjNBe6a6xzN5br+rWkuU1Z9f3iiyibtDbp14wdORYbPcIlTvuSfUPqKOFOa6MPOW9tui9+oE047KZpsjKM1AT3QDujVMTxjQG/AqIfXM+oxfc/gmzcFHZRqoeDewTdPiSmrML5w8M0BNw9uc4D55vDo2KN3BKQfBF0cedMzY2xq9u3agNRrEZpEsY0LTooEccuGWUWcpClXf2yb+X8vGUOp7NDo3hx1VLwkutWnOEGmUe2CHRSdYf+bjX+WBmdn+ATB8p4NZqSX88lR+dh/8VGy5ka+s3K9Kuudlq09k9XKn0H/+/yfSeEH4jeMwlcFoKFUwfGMCv9S6V5Hr1W4UZnotAWi5R8UifsyJOBYimRAWSqZ+7YTxh5Qgv9n5yvUMpFQGejSslSvCjkE5CtljPvi6b3I7yhZJn96JvnVegFtoEuT31S3ooTcvqAFQ0C/KJuGHSb0qeJydnBQSUZDrZ3iUaq1cEscx/whRo2nIPKtsnQAFaYhJtB1mFGFXUyDXbxU5Jw8+bfG+IE9tcIzzWiV901jXZr99cKKOqkiAldQjFEkZCOieCKixV+zQOU1smHUv7P8HpafOl2WD32N5Z3J9Jo8r5cG1JFIQwxWk/i86MZuYpd2JCLkUQmSti8lnbGWwxNj1kxTEZrn2kQ4S5zXea22cNlIywHiDThrnua0/aGOU2YM0IuAfFSS9UEsOP9hPG63fxiZ8jHAuMCM0GaZrQnJJbH52L+g/7Njzg3avHFBMRmvcrLdGdxJ90NtFbNFP/Jbc7xYoLw6qzZrPSuiHM9Ec+cJoL0zxdE5b0j+khIYFydN+s7hvTg8sH1L53F/auDxwFPLkoZ7m0dPo7qnV8sNr9v3RI17l4F6oC76LN1S2z4ret3XxhiwCvQIjthSwknYgZKjw+iC3qzihJ5fJyrjInKgnu7MNcvj5PYcMnz3vadTv4CjCq7yBZ6jibWtIYImM2j7U2Y5obCawECCy1MElxtMddPEM1gmB6D1NpkFDES5l37cywzupR/fOk3eVPqhv9F5sFhik6DsfE4X8NEnlKM/16igVpmyKdj8OlmdntUghiYh7EwVIj1LNe+lIZpiCwLFkpnohlQdd7lObQgwvTl9k6ki8WKVN2rni7zgsHXOTrTiEGmxd17aum4SSW7xbb+e5aq5H/Xt1N5JJEcZ6MoJeWDKht6tt7ulcLfevnWa3K23c603cLfeeltvO0WPvaO1dlo9xLdS2HPITlOKfa5ppvUtnATvaaYFQffVaM898+MQgWKmaS85X9pMG/wjJUOmBRzLBqCDadcFJ6N6SHT2BefkoEvKExdht/LWIOau6GZ4YGr5od38vDO9Dhk0PhHOVw3296hy+e6D/W6g0N8zZCmvG+7X6040h/GleI16lZix5+FVsS9r3CITLFblB0PneMtF2BniawByADVENdWlgenTfpf7+mOPD0Z8p7RwvRujhRSh/0TG8BTGqD8y9G7EOPCt3O+cMdR3zi5IC3bafBK51PvNl6XdT38D&lt;/diagram&gt;&lt;/mxfile&gt;" style="background-color: rgb(255, 255, 255);"><defs/><g><rect x="450" y="300" width="160" height="160" fill="none" stroke="#82b366" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 380px; margin-left: 451px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><br /><br /><br /><br /><br /><br /><br />tenant-1<br />*.tenant-1.svc.cluster.local</div></div></div></foreignObject><text x="530" y="384" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">tenant-1...</text></switch></g><rect x="250" y="300" width="160" height="160" fill="none" stroke="#6c8ebf" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 380px; margin-left: 251px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><br /><br /><br /><br /><br /><br /><br />tenant-2<br /> *.tenant-2.svc.cluster.local</div></div></div></foreignObject><text x="330" y="384" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">tenant-2...</text></switch></g><rect x="250" y="150" width="350" height="110" fill="none" stroke="#d6b656" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-end; justify-content: unsafe center; width: 348px; height: 1px; padding-top: 147px; margin-left: 251px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><br /><br /><br /><br /><br /><br />    knative-eventing</div></div></div></foreignObject><text x="425" y="147" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">knative-eventing...</text></switch></g><rect x="270" y="170" width="120" height="60" fill="#e1d5e7" stroke="#9673a6" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 118px; height: 1px; padding-top: 200px; margin-left: 271px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Receiver</div></div></div></foreignObject><text x="330" y="204" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Receiver</text></switch></g><rect x="465" y="170" width="120" height="60" fill="#fff2cc" stroke="#d6b656" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 118px; height: 1px; padding-top: 200px; margin-left: 466px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Sender</div></div></div></foreignObject><text x="525" y="204" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Sender</text></switch></g><path d="M 450 309.41 L 366.18 235.45" fill="none" stroke="#82b366" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 361.68 231.48 L 370.32 233.77 L 366.18 235.45 L 365.03 239.77 Z" fill="#82b366" stroke="#82b366" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><path d="M 555 230 L 565.53 289.97" fill="none" stroke="#82b366" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 566.57 295.88 L 561.25 288.69 L 565.53 289.97 L 569.13 287.31 Z" fill="#82b366" stroke="#82b366" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><path d="M 250 326.67 Q 180 280 263.84 205.47" fill="none" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 268.33 201.49 L 265.01 209.79 L 263.84 205.47 L 259.69 203.81 Z" fill="#6c8ebf" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 261px; margin-left: 240px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">1)</div></div></div></foreignObject><text x="240" y="264" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">1)</text></switch></g><path d="M 298.28 16.86 L 298.28 118 L 130 118 L 130 0 L 274.24 0 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><path d="M 274.24 0 C 276.2 3.94 272.98 8.01 265.66 10.84 L 298.28 17.22" fill="none" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe flex-start; width: 168px; height: 1px; padding-top: 59px; margin-left: 132px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: left;"><div style="display: inline-block; font-size: 10px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>AuthorizationPolicy<br /></b>from:<br />    <font style="font-size: 10px;"><span class="token key atrule" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;">namespaces</span><span class="token punctuation" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;">: ["tenant-1"]<br />to:<br />  hosts: ["*.tenant-1.svc.cluster.local"]<br />  paths: ["/tenant-1/*"]<br /></span></font></div></div></div></foreignObject><text x="132" y="62" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="10px">AuthorizationPolicy...</text></switch></g><path d="M 503.28 16.86 L 503.28 118 L 335 118 L 335 0 L 479.24 0 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><path d="M 479.24 0 C 481.2 3.94 477.98 8.01 470.66 10.84 L 503.28 17.22" fill="none" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe flex-start; width: 168px; height: 1px; padding-top: 59px; margin-left: 337px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: left;"><div style="display: inline-block; font-size: 10px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>AuthorizationPolicy<br /></b>from:<br />    <font style="font-size: 10px;"><span class="token key atrule" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;">namespaces</span><span class="token punctuation" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;">: ["tenant-2"]<br />to:<br />  hosts: ["*.tenant-2.svc.cluster.local"]<br />  paths: ["/tenant-2/*"]<br /></span></font></div></div></div></foreignObject><text x="337" y="62" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="10px">AuthorizationPolicy...</text></switch></g><path d="M 300 170 L 215 118" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 360 170 L 388.11 118" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><rect x="40" y="150" width="140" height="110" fill="#f5f5f5" stroke="#666666" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 138px; height: 1px; padding-top: 205px; margin-left: 41px;"><div data-drawio-colors="color: #333333; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 10px; font-family: Helvetica; color: rgb(51, 51, 51); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Receiver is the last place we know the "real" source.<br /><br />Sender sends "Kn-Namespace" header with the resource's namespace as value</div></div></div></foreignObject><text x="110" y="208" fill="#333333" font-family="Helvetica" font-size="10px" text-anchor="middle">Receiver is the last place w...</text></switch></g><path d="M 180 205 L 270 185" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 150 510 L 181.76 510" fill="none" stroke="#82b366" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 187.76 510 L 179.76 514 L 181.76 510 L 179.76 506 Z" fill="#82b366" stroke="#82b366" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><rect x="150" y="480" width="40" height="10" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe flex-start; width: 38px; height: 1px; padding-top: 485px; margin-left: 152px;"><div data-drawio-colors="color: #000000; " style="box-sizing: border-box; font-size: 0px; text-align: left;"><div style="display: inline-block; font-size: 10px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>Legend<br /></b></div></div></div></foreignObject><text x="152" y="488" fill="#000000" font-family="Helvetica" font-size="10px">Legend&#xa;</text></switch></g><path d="M 150 529.89 L 181.76 529.89" fill="none" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 187.76 529.89 L 179.76 533.89 L 181.76 529.89 L 179.76 525.89 Z" fill="#6c8ebf" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><rect x="191" y="505" width="179" height="10" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe flex-start; width: 177px; height: 1px; padding-top: 510px; margin-left: 193px;"><div data-drawio-colors="color: #000000; " style="box-sizing: border-box; font-size: 0px; text-align: left;"><div style="display: inline-block; font-size: 10px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">tenant-1: all shown paths are allowed</div></div></div></foreignObject><text x="193" y="513" fill="#000000" font-family="Helvetica" font-size="10px">tenant-1: all shown paths are allow...</text></switch></g><rect x="191" y="525.5" width="599" height="64.5" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe flex-start; width: 597px; height: 1px; padding-top: 558px; margin-left: 193px;"><div data-drawio-colors="color: #000000; " style="box-sizing: border-box; font-size: 0px; text-align: left;"><div style="display: inline-block; font-size: 10px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">tenant-2: <br />1) tenant-2 can call "receiver" directly and send events to resources in tenant-1 namespace.<br style="border-color: var(--border-color);" />2) tenant-2 can not call tenant-1 directly. Rejected in tenant-1 istio-proxy.<br />3) sources, triggers, and subscribers in tenant-2 namespaces can not call tenant-1 workloads. Rejected in tenant-1 istio-proxy.</div></div></div></foreignObject><text x="193" y="561" fill="#000000" font-family="Helvetica" font-size="10px">tenant-2:...</text></switch></g><path d="M 495 230 L 496.64 280.78" fill="none" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 496.84 286.78 L 492.58 278.91 L 496.64 280.78 L 500.58 278.65 Z" fill="#6c8ebf" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 263px; margin-left: 497px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">3)</div></div></div></foreignObject><text x="497" y="266" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">3)</text></switch></g><path d="M 491 289 L 495.08 289 L 498 292.26 L 500.92 289 L 505 289 L 500.04 294.5 L 505 300 L 500.92 300 L 498 296.74 L 495.08 300 L 491 300 L 495.67 294.5 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><path d="M 848.08 307.86 L 848.08 409 L 660 409 L 660 291 L 821.21 291 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><path d="M 821.21 291 C 823.4 294.94 819.8 299.01 811.62 301.84 L 848.08 308.22" fill="none" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe flex-start; width: 188px; height: 1px; padding-top: 350px; margin-left: 662px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: left;"><div style="display: inline-block; font-size: 10px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>AuthorizationPolicy<br /></b>from:<br />    <font style="font-size: 10px;"><span class="token key atrule" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;">namespaces</span><span class="token punctuation" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;">: ["knative-eventing"]<br />when:<br />    key: request.headers[Kn-Namespace]<br />    values: ["tenant-1"]<br /></span></font></div></div></div></foreignObject><text x="662" y="353" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="10px">AuthorizationPolicy...</text></switch></g><path d="M 657.34 345.28 L 610 340" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 188.08 346.86 L 188.08 448 L 0 448 L 0 330 L 161.21 330 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><path d="M 161.21 330 C 163.4 333.94 159.8 338.01 151.62 340.84 L 188.08 347.22" fill="none" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe flex-start; width: 188px; height: 1px; padding-top: 389px; margin-left: 2px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: left;"><div style="display: inline-block; font-size: 10px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>AuthorizationPolicy<br /></b>from:<br />    <font style="font-size: 10px;"><span class="token key atrule" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;">namespaces</span><span class="token punctuation" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;">: ["knative-eventing"]<br />when:<br />    key: request.headers[Kn-Namespace]<br />    values: ["tenant-2"]<br /></span></font></div></div></div></foreignObject><text x="2" y="392" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="10px">AuthorizationPolicy...</text></switch></g><path d="M 190 389 L 250 380" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 413.52 353.12 L 427.81 351.61" fill="none" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 433.78 350.98 L 426.24 355.8 L 427.81 351.61 L 425.4 347.84 Z" fill="#6c8ebf" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><path d="M 436 344.5 L 440.08 344.5 L 443 347.76 L 445.92 344.5 L 450 344.5 L 445.04 350 L 450 355.5 L 445.92 355.5 L 443 352.24 L 440.08 355.5 L 436 355.5 L 440.67 350 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><ellipse cx="290" cy="340" rx="29.999999999999996" ry="29.999999999999996" fill="#dae8fc" stroke="#6c8ebf" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 58px; height: 1px; padding-top: 340px; margin-left: 261px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>ksvc</b></div></div></div></foreignObject><text x="290" y="344" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">ksvc</text></switch></g><ellipse cx="370" cy="340" rx="29.999999999999996" ry="29.999999999999996" fill="#dae8fc" stroke="#6c8ebf" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 58px; height: 1px; padding-top: 340px; margin-left: 341px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>svc</b></div></div></div></foreignObject><text x="370" y="344" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">svc</text></switch></g><ellipse cx="490" cy="350" rx="29.999999999999996" ry="29.999999999999996" fill="#dae8fc" stroke="#6c8ebf" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 58px; height: 1px; padding-top: 350px; margin-left: 461px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>ksvc</b></div></div></div></foreignObject><text x="490" y="354" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">ksvc</text></switch></g><ellipse cx="570" cy="350" rx="29.999999999999996" ry="29.999999999999996" fill="#dae8fc" stroke="#6c8ebf" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 58px; height: 1px; padding-top: 350px; margin-left: 541px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>svc</b></div></div></div></foreignObject><text x="570" y="354" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">svc</text></switch></g></g><switch><g requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"/><a transform="translate(0,-5)" xlink:href="https://www.drawio.com/doc/faq/svg-export-text-problems" target="_blank"><text text-anchor="middle" font-size="10px" x="50%" y="100%">Text is not SVG - cannot display</text></a></switch></svg>
\ No newline at end of file
diff --git a/modules/serverless-common/assets/images/service-mesh/multi-tenancy-service-mesh.drawio.svg b/modules/serverless-common/assets/images/service-mesh/multi-tenancy-service-mesh-Serving.drawio.svg
similarity index 100%
rename from modules/serverless-common/assets/images/service-mesh/multi-tenancy-service-mesh.drawio.svg
rename to modules/serverless-common/assets/images/service-mesh/multi-tenancy-service-mesh-Serving.drawio.svg
diff --git a/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc b/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc
index 532ff283..2a8f40e3 100644
--- a/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc
+++ b/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc
@@ -13,11 +13,11 @@ The respective `istio-proxy` sidecars take care of enforcing those rules to isol
 
 *Knative Serving*
 
-image::service-mesh/multi-tenancy-service-mesh.drawio.svg[]
+image::service-mesh/multi-tenancy-service-mesh-Serving.drawio.svg[]
 
 *Knative Eventing*
 
-TODO pierdipi, please add your diagram here!
+image::service-mesh/multi-tenancy-service-mesh-Eventing.drawio.svg[]
 
 .Prerequisites
 * You have access to an {product-title} account with cluster administrator access.
@@ -237,7 +237,7 @@ These policies:
 - Allow traffic from `istio-system` and `knative-serving` to activator - Allow traffic from `knative-serving` to autoscaler - Allow health probes for kafka components in `knative-eventing`
 - Allow internal traffic for channel based brokers in `knative-eventing`
 +
-Make sure to apply all those rules to your cluster with
+Make sure to apply all those rules to your cluster with:
 +
 [source,terminal]
 ----

From 176969c9cd0a075e13ed5daab313aa6e2ea87bb4 Mon Sep 17 00:00:00 2001
From: Pierangelo Di Pilato <pierdipi@redhat.com>
Date: Wed, 23 Aug 2023 10:41:13 +0200
Subject: [PATCH 13/20] Fix format

Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>
---
 ...common-service-mesh-network-isolation.adoc | 22 ++++++++++---------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc b/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc
index 2a8f40e3..1fd9975a 100644
--- a/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc
+++ b/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc
@@ -7,9 +7,9 @@
 
 {smproductshortname} can be used to isolate network-traffic between "tenants" using {smproductshortname} `AuthorizationPolicy` resources. {serverlessproductname} can also leverage this, using several {smproductshortname} resources.
 
+
 .High-level architecture
-The high-level architecture consists of `AuthorizationPolicies` in the `knative-serving`, `knative-eventing` and the tenants namespaces, while all components are part of the {smproductshortname}.
-The respective `istio-proxy` sidecars take care of enforcing those rules to isolate traffic between tenants.
+The high-level architecture consists of `AuthorizationPolicies` in the `knative-serving`, `knative-eventing` and the tenants namespaces, while all components are part of the {smproductshortname}. The respective `istio-proxy` sidecars take care of enforcing those rules to isolate traffic between tenants.
 
 *Knative Serving*
 
@@ -20,6 +20,7 @@ image::service-mesh/multi-tenancy-service-mesh-Serving.drawio.svg[]
 image::service-mesh/multi-tenancy-service-mesh-Eventing.drawio.svg[]
 
 .Prerequisites
+
 * You have access to an {product-title} account with cluster administrator access.
 
 * You have created a project or have access to a project with the appropriate roles and permissions to create applications and other workloads in {product-title}.
@@ -28,6 +29,7 @@ image::service-mesh/multi-tenancy-service-mesh-Eventing.drawio.svg[]
 
 
 .Securing the {smproductshortname}
+
 . As in the set-up documentation, make sure that all your tenants are part of the same `ServiceMeshMemberRoll` object as members:
 +
 [source,yaml]
@@ -45,8 +47,7 @@ spec:
    - tenant-2
 ----
 +
-All the namespaces that are part of the Mesh must enforce mTLS in strict mode.
-This forces Istio to only accept connections with a client-certificate present and allows the `istio-proxy` to validate the origin using `AuthorizationPolicy`.
+All the namespaces that are part of the Mesh must enforce mTLS in strict mode. This forces Istio to only accept connections with a client-certificate present and allows the `istio-proxy` to validate the origin using `AuthorizationPolicy`.
 +
 . For {serverlessproductname} internal components to work, the several `AuthorizationPolicies` are necessary in the `knative-serving` and the `knative-eventing` namespace:
 +
@@ -231,10 +232,11 @@ spec:
             namespaces: [ "knative-serving" ]
 ---
 ----
-
 These policies:
 - Deny all traffic that is not explicitly allowed in `knative-serving` and `knative-eventing`
-- Allow traffic from `istio-system` and `knative-serving` to activator - Allow traffic from `knative-serving` to autoscaler - Allow health probes for kafka components in `knative-eventing`
+- Allow traffic from `istio-system` and `knative-serving` to activator
+- Allow traffic from `knative-serving` to autoscaler
+- Allow health probes for kafka components in `knative-eventing`
 - Allow internal traffic for channel based brokers in `knative-eventing`
 +
 Make sure to apply all those rules to your cluster with:
@@ -244,8 +246,7 @@ Make sure to apply all those rules to your cluster with:
 $ oc apply -f <filename>
 ----
 
-. With this set up in place, cluster administrators can use their own `AuthorizationPolicies` to define which namespaces (tenants) can communicate with each other.
-Each namespace needs:
+. With this set up in place, cluster administrators can use their own `AuthorizationPolicies` to define which namespaces (tenants) can communicate with each other. Each namespace needs:
 - One AuthorizationPolicy limiting directly incoming traffic in the tenants namespace
 - One AuthorizationPolicy limiting incoming traffic via activator in the `knative-serving` namespace
 - One AuthorizationPolicy allowing Kubernetes to call PreStopHooks on Knative Services
@@ -268,11 +269,12 @@ $ oc apply -f <filename>
 +
 [NOTE]
 ====
-The helm chart has several options that can be passed to configure the generated resources.
-Please refer to the link:https://github.com/openshift-knative/knative-istio-authz-chart/blob/main/values.yaml[values.yaml] for a full reference.
+The helm chart has several options that can be passed to configure the generated resources. Please refer to the link:https://github.com/openshift-knative/knative-istio-authz-chart/blob/main/values.yaml[values.yaml] for a full reference.
 ====
 
+
 .Verifying the configuration
+
 This verification is assuming that we have two tenants with one namespace each, all part of the `ServiceMeshMemberRoll`, configured with resources listed above.
 We can then use curl to verify the connectivity:
 

From 8e08f934deb616dc015b2eafc6bebd5a3d41c875 Mon Sep 17 00:00:00 2001
From: Reto Lehmann <retocode@icloud.com>
Date: Mon, 28 Aug 2023 08:36:28 +0200
Subject: [PATCH 14/20] add review improvements

---
 modules/ROOT/nav.adoc                         |  2 +-
 ...common-service-mesh-network-isolation.adoc | 97 +++++++++----------
 .../common-service-mesh-setup.adoc            | 26 +++--
 3 files changed, 60 insertions(+), 65 deletions(-)

diff --git a/modules/ROOT/nav.adoc b/modules/ROOT/nav.adoc
index e2f87b45..d83e2ca4 100644
--- a/modules/ROOT/nav.adoc
+++ b/modules/ROOT/nav.adoc
@@ -1,5 +1,5 @@
 * xref:index.adoc[Overview]
-* Serverless Common
+* Serverless
 ** Using OpenShift Serverless with OpenShift Service Mesh
 *** xref:serverless-common:service-mesh/common-service-mesh-setup.adoc[Setup Serverless with OpenShift Service Mesh]
 *** xref:serverless-common:service-mesh/common-service-mesh-network-isolation.adoc[Use Service Mesh to isolate network-traffic]
diff --git a/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc b/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc
index 1fd9975a..fb62bc21 100644
--- a/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc
+++ b/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc
@@ -3,13 +3,14 @@
 // Metadata:
 :description: Use {smproductname} to isolate network traffic with {serverlessproductname}
 
-// TODO
-
-{smproductshortname} can be used to isolate network-traffic between "tenants" using {smproductshortname} `AuthorizationPolicy` resources. {serverlessproductname} can also leverage this, using several {smproductshortname} resources.
+{smproductshortname} can be used to isolate network-traffic between tenants on a shared OpenShift cluster using {smproductshortname} `AuthorizationPolicy` resources.
+{serverlessproductname} can also leverage this, using several {smproductshortname} resources.
 
+.Tenants
+A tenant is a group of one or multiple OpenShift projects that can access each other over the network on a shared OpenShift cluster.
 
 .High-level architecture
-The high-level architecture consists of `AuthorizationPolicies` in the `knative-serving`, `knative-eventing` and the tenants namespaces, while all components are part of the {smproductshortname}. The respective `istio-proxy` sidecars take care of enforcing those rules to isolate traffic between tenants.
+The high-level architecture consists of `AuthorizationPolicies` in the `knative-serving`, `knative-eventing` and the tenants namespaces, while all components are part of the {smproductshortname}. The injected {smproductshortname} sidecars take care of enforcing those rules to isolate network traffic between tenants.
 
 *Knative Serving*
 
@@ -23,14 +24,14 @@ image::service-mesh/multi-tenancy-service-mesh-Eventing.drawio.svg[]
 
 * You have access to an {product-title} account with cluster administrator access.
 
-* You have created a project or have access to a project with the appropriate roles and permissions to create applications and other workloads in {product-title}.
+* You have set up {serverlessproductname} and {smproductname} as documented in xref:./common-service-mesh-setup.adoc[].
 
-* You have set up {serverlessproductname} and {smproductname} as documented in xref:./common-service-mesh-setup.adoc[]
+* You have created one or multiple OpenShift projects for each tenant.
 
 
 .Securing the {smproductshortname}
 
-. As in the set-up documentation, make sure that all your tenants are part of the same `ServiceMeshMemberRoll` object as members:
+. As in the set-up documentation, make sure that all your tenants OpenShift projects are part of the same `ServiceMeshMemberRoll` object as members:
 +
 [source,yaml]
 ----
@@ -41,19 +42,20 @@ metadata:
  namespace: istio-system
 spec:
  members:
-   - knative-serving
-   - knative-eventing
-   - tenant-1
-   - tenant-2
+   - knative-serving    # static value, needs to be here, see setup page
+   - knative-eventing   # static value, needs to be here, see setup page
+   - team-alpha-1       # example OpenShift project that belongs to the team-alpha tenant
+   - team-alpha-2       # example OpenShift project that belongs th the team-alpha tenant
+   - team-bravo-1       # example OpenShift project that belongs to the team-bravo tenant
+   - team-bravo-2       # example OpenShift project that belongs th the team-bravo tenant
 ----
 +
-All the namespaces that are part of the Mesh must enforce mTLS in strict mode. This forces Istio to only accept connections with a client-certificate present and allows the `istio-proxy` to validate the origin using `AuthorizationPolicy`.
+All the OpenShift projects that are part of the mesh must enforce mTLS in strict mode. This forces Istio to only accept connections with a client-certificate present and allows the {smproductshortname} sidecar to validate the origin using `AuthorizationPolicy`.
 +
 . For {serverlessproductname} internal components to work, the several `AuthorizationPolicies` are necessary in the `knative-serving` and the `knative-eventing` namespace:
 +
 [source,yaml]
 ----
----
 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
@@ -230,13 +232,12 @@ spec:
     - from:
         - source:
             namespaces: [ "knative-serving" ]
----
 ----
-These policies:
+These policies restrict the access rules for the network communication between OpenShift Serverless' system components. In detail, they enforce the following rules:
 - Deny all traffic that is not explicitly allowed in `knative-serving` and `knative-eventing`
 - Allow traffic from `istio-system` and `knative-serving` to activator
 - Allow traffic from `knative-serving` to autoscaler
-- Allow health probes for kafka components in `knative-eventing`
+- Allow health probes for Apache Kafka components in `knative-eventing`
 - Allow internal traffic for channel based brokers in `knative-eventing`
 +
 Make sure to apply all those rules to your cluster with:
@@ -246,18 +247,18 @@ Make sure to apply all those rules to your cluster with:
 $ oc apply -f <filename>
 ----
 
-. With this set up in place, cluster administrators can use their own `AuthorizationPolicies` to define which namespaces (tenants) can communicate with each other. Each namespace needs:
-- One AuthorizationPolicy limiting directly incoming traffic in the tenants namespace
-- One AuthorizationPolicy limiting incoming traffic via activator in the `knative-serving` namespace
-- One AuthorizationPolicy allowing Kubernetes to call PreStopHooks on Knative Services
+. With this set up in place, cluster administrators can use their own `AuthorizationPolicies` to define which OpenShift projects can communicate with each other. Every OpenShift project of a tenant needs:
+- One `AuthorizationPolicy` limiting directly incoming traffic to the tenants OpenShift project
+- One `AuthorizationPolicy` limiting incoming traffic via the activator component of {serverlessproductname} that runs in the `knative-serving` OpenShift project
+- One `AuthorizationPolicy` allowing Kubernetes to call `PreStopHooks` on Knative Services
 +
 As it is a cumbersome task to create all those policies by hand, you can use our link:https://github.com/openshift-knative/knative-istio-authz-chart[helm based generator] to create the necessary resources for each tenant:
 +
 [source,terminal]
 .Create resources per tenant with helm
 ----
-helm template oci://quay.io/openshift-knative/knative-istio-authz-onboarding --version 1.31.0 --set "name=tenant-1" --set "namespaces={ns1, ns2}"
-helm template oci://quay.io/openshift-knative/knative-istio-authz-onboarding --version 1.31.0 --set "name=tenant-2" --set "namespaces={ns3, ns4}"
+helm template oci://quay.io/openshift-knative/knative-istio-authz-onboarding --version 1.31.0 --set "name=team-alpha" --set "namespaces={team-alpha-1,team-alpha-2}" > team-alpha.yaml
+helm template oci://quay.io/openshift-knative/knative-istio-authz-onboarding --version 1.31.0 --set "name=team-bravo" --set "namespaces={team-bravo-1,team-bravo-2}" > team-bravo.yaml
 ----
 +
 And apply the generated resources to your cluster:
@@ -282,13 +283,13 @@ We can then use curl to verify the connectivity:
 +
 [source,terminal]
 ----
-# Tenant 1
-cat <<-EOF | oc apply -f -
+# Team Alpha
+cat <<EOF | oc apply -f -
 apiVersion: serving.knative.dev/v1
 kind: Service
 metadata:
   name: test-webapp
-  namespace: tenant-1
+  namespace: team-alpha-1
   annotations:
     serving.knative.openshift.io/enablePassthrough: "true"
 spec:
@@ -296,7 +297,6 @@ spec:
     metadata:
       annotations:
         sidecar.istio.io/inject: 'true'
-        autoscaling.knative.dev/target-burst-capacity: "-1"
     spec:
       containers:
         - image: docker.io/openshift/hello-openshift
@@ -305,12 +305,12 @@ spec:
               value: "Hello Serverless!"
 EOF
 
-cat <<-EOF | oc apply -f -
+cat <<EOF | oc apply -f -
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: curl
-  namespace: tenant-1
+  namespace: team-alpha-1
   labels:
     app: curl
 spec:
@@ -333,13 +333,13 @@ spec:
         - "3600"
 EOF
 
-# Tenant 2
-cat <<-EOF | oc apply -f -
+# Team Bravo
+cat <<EOF | oc apply -f -
 apiVersion: serving.knative.dev/v1
 kind: Service
 metadata:
   name: test-webapp
-  namespace: tenant-2
+  namespace: team-bravo-1
   annotations:
     serving.knative.openshift.io/enablePassthrough: "true"
 spec:
@@ -347,7 +347,6 @@ spec:
     metadata:
       annotations:
         sidecar.istio.io/inject: 'true'
-        autoscaling.knative.dev/target-burst-capacity: "-1"
     spec:
       containers:
         - image: docker.io/openshift/hello-openshift
@@ -361,8 +360,8 @@ EOF
 +
 [source,terminal]
 ----
-# Test tenant-1 -> tenant-1 via cluster local domain (allowed)
-oc exec deployment/curl -n tenant-1 -it -- curl -v http://test-webapp.tenant-1:80
+# Test team-alpha-1 -> team-alpha-1 via cluster local domain (allowed)
+oc exec deployment/curl -n team-alpha-1 -it -- curl -v http://test-webapp.team-alpha-1:80
 
 HTTP/1.1 200 OK
 content-length: 18
@@ -374,9 +373,9 @@ x-envoy-upstream-service-time: 9
 Hello Serverless!
 
 
-# Test tenant-1 -> tenant-1 via external domain (allowed)
-EXTERNAL_URL=$(oc get ksvc -n tenant-1 test-webapp -o custom-columns=:.status.url --no-headers)
-oc exec deployment/curl -n tenant-1 -it -- curl -ik $EXTERNAL_URL
+# Test team-alpha-1 -> team-alpha-1 via external domain (allowed)
+EXTERNAL_URL=$(oc get ksvc -n team-alpha-1 test-webapp -o custom-columns=:.status.url --no-headers)
+oc exec deployment/curl -n team-alpha-1 -it -- curl -ik $EXTERNAL_URL
 
 HTTP/2 200
 content-length: 18
@@ -388,14 +387,14 @@ x-envoy-upstream-service-time: 3629
 Hello Serverless!
 
 
-# Test tenant-1 -> tenant-2 via cluster local domain (not allowed)
-oc exec deployment/curl -n tenant-1 -it -- curl -v http://test-webapp.tenant-2:80
+# Test team-alpha-1 -> team-bravo-1 via cluster local domain (not allowed)
+oc exec deployment/curl -n team-alpha-1 -it -- curl -v http://test-webapp.team-bravo-1:80
 
-* processing: http://test-webapp.tenant-2:80
+* processing: http://test-webapp.team-bravo-1:80
 *   Trying 172.30.73.216:80...
-* Connected to test-webapp.tenant-2 (172.30.73.216) port 80
+* Connected to test-webapp.team-bravo-1 (172.30.73.216) port 80
 > GET / HTTP/1.1
-> Host: test-webapp.tenant-2
+> Host: test-webapp.team-bravo-1
 > User-Agent: curl/8.2.0
 > Accept: */*
 >
@@ -406,13 +405,13 @@ oc exec deployment/curl -n tenant-1 -it -- curl -v http://test-webapp.tenant-2:8
 < server: envoy
 < x-envoy-upstream-service-time: 6
 <
-* Connection #0 to host test-webapp.tenant-2 left intact
+* Connection #0 to host test-webapp.team-bravo-1 left intact
 RBAC: access denied
 
 
-# Test tenant-1 -> tenant-2 via external domain (allowed)
-EXTERNAL_URL=$(oc get ksvc -n tenant-2 test-webapp -o custom-columns=:.status.url --no-headers)
-oc exec deployment/curl -n tenant-1 -it -- curl -ik $EXTERNAL_URL
+# Test team-alpha-1 -> team-bravo-1 via external domain (allowed)
+EXTERNAL_URL=$(oc get ksvc -n team-bravo-1 test-webapp -o custom-columns=:.status.url --no-headers)
+oc exec deployment/curl -n team-alpha-1 -it -- curl -ik $EXTERNAL_URL
 
 HTTP/2 200
 content-length: 18
@@ -430,9 +429,9 @@ Delete the resources that were created for verification:
 +
 [source,terminal]
 ----
-oc delete deployment/curl -n tenant-1
-oc delete ksvc/test-webapp -n tenant-1
-oc delete ksvc/test-webapp -n tenant-2
+oc delete deployment/curl -n team-alpha-1
+oc delete ksvc/test-webapp -n team-alpha-1
+oc delete ksvc/test-webapp -n team-bravo-1
 ----
 
 
diff --git a/modules/serverless-common/pages/service-mesh/common-service-mesh-setup.adoc b/modules/serverless-common/pages/service-mesh/common-service-mesh-setup.adoc
index 7492f15b..dbc27e0a 100644
--- a/modules/serverless-common/pages/service-mesh/common-service-mesh-setup.adoc
+++ b/modules/serverless-common/pages/service-mesh/common-service-mesh-setup.adoc
@@ -3,26 +3,22 @@
 // Metadata:
 :description: Setup {serverlessproductname} with {SMProductName}
 
-// TODO
-
 .Assumptions and limitations
 
 This page describes the integration of {serverlessproductname} with {smproductname}. In this setup, it is assumed that:
 
-* All Knative internal components, as well as Knative Services, are part of the {smproductshortname} and have istio-sidecars injected. This means, that strict mTLS is enforced within the whole mesh. All requests to Knative Services require an mTLS connection  (the client must send its certificate), except calls coming from OpenShift Routing.
-* {serverlessproductname} with Kourier disabled can only target *one* istio service mesh. Multiple meshes can be present in the cluster, but {serverlessproductname} will only be available on one of them.
-* The mesh that {serverlessproductname} is part of has to be distinct and ideally only for {serverlessproductname} workloads, as additional configuration like `Gateways` might interfere with the automated configuration by {serverlessproductname}. Other namespaces can be part of this Mesh, but must not configure the istio custom resource `Gateway` that could overlap with {serverlessproductname} `knative-local-gateway` and `knative-ingress-gateway`.
-* {smproductname} only allows one `Gateway` to claim a wildcard host binding (`hosts: *`) on the same port (`port: 443`). So the `knative-ingress-gateway` and `knative-local-gateway` have to be unique in the Mesh. If another Mesh is already binding this configuration, a separate Mesh has to be created for {serverlessproductname} workloads.
-* Cluster external Knative Services are expected to be called via OpenShift Ingress using OpenShift Routes. It is not supported to access istio directly, e.g. by exposing the `istio-ingressgateway` using a Service with type `NodePort` or `LoadBalancer`.
-* Changing the target `ServiceMeshMemberRole`, that {serverlessproductname} is part of (meaning moving {serverlessproductname} to another mesh) is not supported. The only way to change the targeted Service Mesh is to uninstall and reinstall {serverlessproductname}.
+* All Knative internal components, as well as Knative Services, are part of the {smproductshortname} and have sidecars injection enabled. This means, that strict mTLS is enforced within the whole mesh. All requests to Knative Services require an mTLS connection  (the client must send its certificate), except calls coming from OpenShift Routing.
+* {serverlessproductname} with Kourier disabled can only target *one* service mesh. Multiple meshes can be present in the cluster, but {serverlessproductname} will only be available on one of them.
+* The mesh that {serverlessproductname} is part of has to be distinct and ideally only for {serverlessproductname} workloads, as additional configuration like `Gateways` might interfere with the automated configuration by {serverlessproductname}. Other namespaces can be part of this mesh, but must not configure the {smproductshortname} custom resource `Gateway` that could overlap with {serverlessproductname} `knative-local-gateway` and `knative-ingress-gateway`.
+* {smproductname} only allows one `Gateway` to claim a wildcard host binding (`hosts: *`) on the same port (`port: 443`). So the `knative-ingress-gateway` and `knative-local-gateway` have to be unique in the mesh. If another mesh is already binding this configuration, a separate mesh has to be created for {serverlessproductname} workloads.
+* Cluster external Knative Services are expected to be called via OpenShift Ingress using OpenShift Routes. It is not supported to access {smproductshortname} directly, e.g. by exposing the `istio-ingressgateway` using a Service with type `NodePort` or `LoadBalancer`.
+* Changing the target `ServiceMeshMemberRole`, that {serverlessproductname} is part of (meaning moving {serverlessproductname} to another mesh) is not supported. The only way to change the targeted Service mesh is to uninstall and reinstall {serverlessproductname}.
 
 
 .Prerequisites
 
 * You have access to an {product-title} account with cluster administrator access.
 
-* You have created a project or have access to a project with the appropriate roles and permissions to create applications and other workloads in {product-title}.
-
 * Install the OpenShift CLI (`oc`).
 
 * Install the {SMProductName} Operator.
@@ -34,7 +30,7 @@ Using {ServerlessProductName} with {SMProductShortName} is only supported with {
 
 .Installing and configuring {smproductname}
 
-. Create a `ServiceMeshControlPlane` resource in the `istio-system` namespace. Make sure to use the following settings, to make Service Mesh work with Serverless:
+. Create a `ServiceMeshControlPlane` resource in the `istio-system` namespace. Make sure to use the following settings, to make Service mesh work with Serverless:
 +
 [IMPORTANT]
 ====
@@ -75,7 +71,7 @@ spec:
 <1> This enforces strict mTLS in the mesh. Only calls using a valid client-certificate are allowed.
 <2> OpenShift Serverless has a graceful termination for Knative Services of 30 seconds. The istio-proxy needs to have a longer termination duration to make sure no requests are dropped.
 <3> Defining a specific selector for the `ingress-gateway` to target only the Knative gateway.
-<4> Those ports are called by Kubernetes and cluster monitoring which are not part of the mesh and cannot be called using mTLS, thus those ports are excluded from the Service Mesh.
+<4> Those ports are called by Kubernetes and cluster monitoring which are not part of the mesh and cannot be called using mTLS, thus those ports are excluded from the Service mesh.
 
 
 . Add the namespaces that you would like to integrate with {SMProductShortName} to the `ServiceMeshMemberRoll` object as members:
@@ -91,7 +87,7 @@ spec:
   members: <1>
     - knative-serving
     - knative-eventing
-    - <namespace>
+    - <your OpenShift projects>
 ----
 <1> A list of namespaces to be integrated with {SMProductShortName}.
 +
@@ -248,7 +244,7 @@ spec:
       "sidecar.istio.io/inject": "true"
       "sidecar.istio.io/rewriteAppHTTPProbers": "true"
 ----
-<1> Enables Eventing istio controller to create a `DestinationRule` for each InMemoryChannel or KafkaChannel service.
+<1> Enables Eventing Istio controller to create a `DestinationRule` for each InMemoryChannel or KafkaChannel service.
 <2> Enables sidecar injection for Knative Eventing pods.
 
 . Apply the `KnativeEventing` resource:
@@ -393,7 +389,7 @@ spec:
       containers:
       - image: <image_url>
 ----
-<1> A namespace that is part of the Service Mesh member roll.
+<1> A namespace that is part of the Service mesh member roll.
 <2> Instructs Knative Serving to generate an {product-title} pass-through enabled route, so that the certificates you have generated are served through the ingress gateway directly.
 <3> Injects {SMProductShortName} sidecars into the Knative service pods.
 +

From 05ce8da4849728a7f5d88a93d50732f50b304064 Mon Sep 17 00:00:00 2001
From: Reto Lehmann <retocode@icloud.com>
Date: Tue, 29 Aug 2023 07:55:26 +0200
Subject: [PATCH 15/20] extract text out of Serving image

---
 .../multi-tenancy-service-mesh-Serving.drawio.svg           | 2 +-
 .../service-mesh/common-service-mesh-network-isolation.adoc | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/modules/serverless-common/assets/images/service-mesh/multi-tenancy-service-mesh-Serving.drawio.svg b/modules/serverless-common/assets/images/service-mesh/multi-tenancy-service-mesh-Serving.drawio.svg
index 63f07145..8d977857 100644
--- a/modules/serverless-common/assets/images/service-mesh/multi-tenancy-service-mesh-Serving.drawio.svg
+++ b/modules/serverless-common/assets/images/service-mesh/multi-tenancy-service-mesh-Serving.drawio.svg
@@ -1,4 +1,4 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!-- Do not edit this file with editors other than diagrams.net -->
 <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
-<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="677px" height="526px" viewBox="-0.5 -0.5 677 526" content="&lt;mxfile host=&quot;drawio-plugin&quot; modified=&quot;2023-08-02T06:46:38.175Z&quot; agent=&quot;5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36&quot; etag=&quot;oryNG41NsIzzjCH34zUl&quot; version=&quot;20.5.3&quot; type=&quot;embed&quot;&gt;&lt;diagram id=&quot;SIUPIMZeMRZCnwsOkFFw&quot; name=&quot;Page-1&quot;&gt;7Vxbb+M2Fv41BtoFLOhGSnpMM51psb1kd4Dd6SMt0bY2suhSdGL31y8pibZ4sSMrsp2ZJgNMJN7F850rDzMJ7lfbTxStl7+SDBcT3822k+DDxPe9KIL8lyjZyRLoNiULmmdt2aHgc/4Xbgtls02e4UppyAgpWL5WC1NSljhlShmilDyrzeakUGddowU2Cj6nqDBL/5tnbNmUxsA9lP+E88VSzuy5bc0KycZtQbVEGXnuFAU/ToJ7Sghrnlbbe1yI3ZP70vT7eKR2vzCKS9arQ7uOJ1Rs2o+b+LDgfX+YUf60EE/XLGG4RCWbembNPxxZ51RPqZMWm4ph6hSE06XdTLaTFKJkU2ZYfKTLuz4vc4Y/r1Eqap85KHnZkq0K/ubxx3leFPekIJS/l6TkjX7IULWsu4v6ilHyiGWLiR/E/iyAsF6/vt0tBZ4wZXjbKWq3/xMmK8zojjdpa6dA0mAnCyRang/Y8iSHLLu4koWoxfNiP/qB5PyhpfoRBHhvEwH2VaCVoF05q9ZdRPg3RwRMYzybj4SIyL0pIpJbA0Ih8kRIMKPosUQsf8LTCtOnvFxcm9r1j+hJStYpb34uJRcg6IsCbwQUxDdFQV6xnEyrHWfo1bdIXIPFr0vcwCDuz2LDedHP5YLiqmq4TiPKJ8TwM9qNRw++q3Mg/t2MDjDW6RBY6OBb6DCGpA0NMtylXKwhRqiNSYTgq+n0QMn2myJDGIMbkgEeF3Vy8//5+T/3spAPNzsQRaGI2xDpXxu8wXYi8Zm5l4JfJhCq1o3rMs+3gqg6xTKE43l6cVsEQo1BwsSkTGwhTDwCYaLzCGMqlC6pbkUngOMsvLgXEUY3pJNn4yB9Q8vsTrje/C0tUFXlqbqPqvTSxVOc4tQK9lkMQuDua6Q77p3aVpwp7v3RTXUdN3F9ZVsTY0+BZU9lGcVFbaYqs9s2ul3CA8n5UjsmoK6d+Kc6oZccfqA6ZkU2NMXtMF23Xx85jD1jZHUohugCsxNDyYZkPq+w0qaGy347+yHIZm6OiSDscUaMbAhKYBQgaEUQBw7dfeEvUw4FN5Qlf4gpnCDeN/mwbSdt3nbdtwdMc74RmLaFR1HZ0E7RSA0NFFuhL3b5ij0gx9lr1euiN9HRq8ua3nAFoe4R+zeFq5z9jcF1m7MvnecGpz5oXw8oFS8KSL90X7rdTqC7F5CD4UC+FkqB7gG4YKhQjXQrVh/qCEqHIND0HQwECvMhT1HxC5rh4oFUOTeASl41I4yRFSehbHBX5AtRwYhm3FRLtBaDrbYLEcp3ZojD2NkOUtCUMNQu4CR8znIbQl2LAQcYQs4LTfh4J5DS1+zxwdcjBXoKAU8RAmNIgNCUANF5qozr3jiKFUJ711VkuojYa7bXiwhjqFcoMg40EZ3Zt1iLHtWJDwt0tQpd9/T6jR5SMx9YplnFULkW9HDG7zZsSWj+Vy1OHkiRp7t+LuCcCrF3NzDobLzXg4iwiMLy8M8NkRXTqj675DO6nrveNt3aen2h1RqV1oFmZCvGEWHueqQZoRmmU17crHTFEZOXTZ2chHNllu177EubrlphvdAnRHNxlFJuVtxgTZsmebnkL8zSDKOKTbkyQOWxllwwYZYuLdVFXuKp5FOjVuqkKWqUUv3FqMKil7Z/bi1Rlb1iXBiKXXzENSMwuuGbaWx5iVa4Eh591UFJs//vNLkYTdabMmWbxgYwuaBmS5XDQGfkzrmw7Ak+WA4PSV/+XpKKy8b6U5SJTh8zn5z8BTDx4kZYyGLNVHgh0GS3xTKScnSUUuC0uRLeqRhKS8QPBZ6zkxbbGCaaEcKIbAcdkUV7S5X/qnOOHhHEd23yLrnetclXR5MxtIl/PW1iTVF51ybnOvz6sfl1tYktM+bvFnMJoBZzga4ZVr5UxCU8L+7a5nscDbeYwROB+o9olRfi637CxRMWxLKxg3oa7tY/k2441dkHUP/oBlZGOSvoRlOkx/xWAqohiDWABIOjJUYKFPR7RUsGBB5CWx7km4JWPzT0Da5dCQ2BHqKFgTcUDUaSyAXRcF5o9xaCpg3ziqNJXzvx8ePJyWgvf9FFjZITd35ykOj+gBgfr6zH4B6KKgyTJJ6o50sXPD21HJ8mb4stfD2tBgbBQLYwh3L7hZSHsMWlj+l7ZDX1PfGITh959EJS0BM1+5MKAJPAsIYuqm1h4kS+CgAAEicJh0pZqI0WxkkvOF3oqD38mo3uaQCsUNvz0RmuD9SSOWwJXpeyu8GJSyLSA/0FLzjrtz5wrwAaqufgZClEvnFKVnUmv1vH1bj03vvo7ppkBs35vjGNhgpFWpVsSf/WPFYdG6s8y8Qk1sQ/TXhdzKR7TSp54JsOWRhaZNAYmeTATCUfVyNcOfXvSmIbJpFKNF8WnC2wIXhpqPH0PzDN4g6bpnV4sySs5eoDEwuDMMspTlmxc/jzv/H/+DMnuQgNqs2amx9rkZTr9Lkp0nv+pxzV09X3G6aL5i7DbReDZLa/bRnocBWgu46Jf9+Qlo+3zKu6sn7G/H/OXWK+x5I81zHSQggv3yXzfYtD0JFiJQQpDR/Ld/5GWHvsUE+rbeH+W1HB36rD53Y+4L6z2jItNuL27kHymwLfSivRhGi79q4UjqTt6ykrgWdaCyBJTAkXg+PCrPeFCv/1SmFwXuKYOVTSa+iTQ6WiwKpuhuT9Bi94HKEHNIPdcnXmoqrMuCGip5L3V2XGbayeruzZmU+Rf2TRR9dm9IAe0Hiik/l0IWcIjpBxeIyxojMZ61Wu+jtj9WCsIHb8OPQjzw8j7pbrNzagVj00gAT1q0N905bP5zo9nh/Cl7jO+OMI8Q247nhO4tEj/bRhB2E00cXsO+FACyPo8Pv7Seck/eW8jjvFGtQNPmnoPePW+utv7x09ZtbEioyQlLUx+NKtuBlKHxc14/6+Yc3Bfl2eIfr4O++Vs5q7HRdYPL753G88vtZYsl7TzuAMgsPtOcM2soiEE4ea5kFT39tzzhj2ki1NaUwnepCs7itpb+hEayeNfhQ40dDAJ9TPLW2jjedKwzd54+0rpHk4WO8ZBNeHGkxt/nr4G05N88Ofwgp+/D8=&lt;/diagram&gt;&lt;/mxfile&gt;"><defs/><g><rect x="217" y="250" width="160" height="160" fill="none" stroke="#82b366" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 330px; margin-left: 218px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><br /><br /><br /><br /><br /><br /><br />tenant-1<br />*.tenant-1.svc.cluster.local</div></div></div></foreignObject><text x="297" y="334" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">tenant-1...</text></switch></g><rect x="27" y="250" width="160" height="160" fill="none" stroke="#6c8ebf" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 330px; margin-left: 28px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><br /><br /><br /><br /><br /><br /><br />tenant-2<br /> *.tenant-2.svc.cluster.local</div></div></div></foreignObject><text x="107" y="334" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">tenant-2...</text></switch></g><rect x="217" y="100" width="160" height="110" fill="none" stroke="#666666" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 155px; margin-left: 218px;"><div data-drawio-colors="color: #333333; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(51, 51, 51); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><br /><br /><br /><br /><br /><br />    knative-serving</div></div></div></foreignObject><text x="297" y="159" fill="#333333" font-family="Helvetica" font-size="12px" text-anchor="middle">knative-serving...</text></switch></g><rect x="27" y="100" width="160" height="110" fill="none" stroke="#666666" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 155px; margin-left: 28px;"><div data-drawio-colors="color: #333333; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(51, 51, 51); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><br /><br /><br /><br /><br /><br />istio-system</div></div></div></foreignObject><text x="107" y="159" fill="#333333" font-family="Helvetica" font-size="12px" text-anchor="middle">istio-system...</text></switch></g><rect x="47" y="120" width="120" height="60" fill="#f5f5f5" stroke="#666666" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 118px; height: 1px; padding-top: 150px; margin-left: 48px;"><div data-drawio-colors="color: #333333; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(51, 51, 51); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Istio Ingress <br />Gateway</div></div></div></foreignObject><text x="107" y="154" fill="#333333" font-family="Helvetica" font-size="12px" text-anchor="middle">Istio Ingress...</text></switch></g><rect x="242" y="120" width="120" height="60" fill="#f5f5f5" stroke="#666666" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 118px; height: 1px; padding-top: 150px; margin-left: 243px;"><div data-drawio-colors="color: #333333; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(51, 51, 51); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Activator<br />+ IstioProxy</div></div></div></foreignObject><text x="302" y="154" fill="#333333" font-family="Helvetica" font-size="12px" text-anchor="middle">Activator...</text></switch></g><ellipse cx="107" cy="300" rx="40" ry="40" fill="#dae8fc" stroke="#6c8ebf" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 78px; height: 1px; padding-top: 300px; margin-left: 68px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>KSVC</b> IstioProxy + QueueProxy</div></div></div></foreignObject><text x="107" y="304" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">KSVC IstioPro...</text></switch></g><ellipse cx="297" cy="300" rx="40" ry="40" fill="#d5e8d4" stroke="#82b366" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 78px; height: 1px; padding-top: 300px; margin-left: 258px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>KSVC<br /></b>IstioProxy + QueueProxy</div></div></div></foreignObject><text x="297" y="304" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">KSVC...</text></switch></g><path d="M 147 299.58 L 239.63 299.97" fill="none" stroke="#b85450" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 244.88 300 L 237.87 303.47 L 239.63 299.97 L 237.9 296.47 Z" fill="#b85450" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><path d="M 133.03 269.63 L 237.38 147.7" fill="none" stroke="#9673a6" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 240.79 143.71 L 238.9 151.3 L 237.38 147.7 L 233.58 146.75 Z" fill="#9673a6" stroke="#9673a6" stroke-miterlimit="10" pointer-events="all"/><path d="M 167 135 L 235.63 135" fill="none" stroke="#9673a6" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 240.88 135 L 233.88 138.5 L 235.63 135 L 233.88 131.5 Z" fill="#9673a6" stroke="#9673a6" stroke-miterlimit="10" pointer-events="all"/><path d="M 243 294.5 L 247.08 294.5 L 250 297.76 L 252.92 294.5 L 257 294.5 L 252.04 300 L 257 305.5 L 252.92 305.5 L 250 302.24 L 247.08 305.5 L 243 305.5 L 247.67 300 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><path d="M 362 150 L 387 150 L 387 210 L 329.79 267.21" fill="none" stroke="#9673a6" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 326.07 270.93 L 328.55 263.5 L 329.79 267.21 L 333.5 268.45 Z" fill="#9673a6" stroke="#9673a6" stroke-miterlimit="10" pointer-events="all"/><path d="M 315.28 11.14 L 315.28 78 L 147 78 L 147 0 L 291.24 0 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><path d="M 291.24 0 C 293.2 2.61 289.98 5.29 282.66 7.16 L 315.28 11.38" fill="none" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe flex-start; width: 168px; height: 1px; padding-top: 39px; margin-left: 149px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: left;"><div style="display: inline-block; font-size: 10px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>AuthorizationPolicy<br /></b>from:<br />    <font style="font-size: 10px;"><span class="token key atrule" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;">namespaces</span><span class="token punctuation" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;">: ["tenant-1"]<br />to:<br />  hosts: ["*.tenant-1.svc.cluster.local"]<br /></span></font></div></div></div></foreignObject><text x="149" y="42" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="10px">AuthorizationPolicy...</text></switch></g><path d="M 495.28 11.14 L 495.28 78 L 327 78 L 327 0 L 471.24 0 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><path d="M 471.24 0 C 473.2 2.61 469.98 5.29 462.66 7.16 L 495.28 11.38" fill="none" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe flex-start; width: 168px; height: 1px; padding-top: 39px; margin-left: 329px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: left;"><div style="display: inline-block; font-size: 10px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>AuthorizationPolicy<br /></b>from:<br />    <font style="font-size: 10px;"><span class="token key atrule" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;">namespaces</span><span class="token punctuation" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;">: ["tenant-2"]<br />to:<br />  hosts: ["*.tenant-2.svc.cluster.local"]<br /></span></font></div></div></div></foreignObject><text x="329" y="42" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="10px">AuthorizationPolicy...</text></switch></g><path d="M 363 144 L 367.08 144 L 370 147.26 L 372.92 144 L 377 144 L 372.04 149.5 L 377 155 L 372.92 155 L 370 151.74 L 367.08 155 L 363 155 L 367.67 149.5 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><path d="M 269 120 L 232 78" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 343 119 L 378.36 78" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 415.32 108.35 L 376.68 123.1" fill="none" stroke="#666666" stroke-miterlimit="10" stroke-dasharray="1 1" pointer-events="stroke"/><path d="M 167 165 L 260.45 256.54" fill="none" stroke="#6c8ebf" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 264.2 260.22 L 256.75 257.82 L 260.45 256.54 L 261.65 252.82 Z" fill="#6c8ebf" stroke="#6c8ebf" stroke-miterlimit="10" pointer-events="all"/><path d="M 261 260 L 265.08 260 L 268 263.26 L 270.92 260 L 275 260 L 270.04 265.5 L 275 271 L 270.92 271 L 268 267.74 L 265.08 271 L 261 271 L 265.67 265.5 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" transform="rotate(-35,268,265.5)" pointer-events="all"/><rect x="27" y="424" width="440" height="10" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe flex-start; width: 438px; height: 1px; padding-top: 429px; margin-left: 29px;"><div data-drawio-colors="color: #000000; " style="box-sizing: border-box; font-size: 0px; text-align: left;"><div style="display: inline-block; font-size: 10px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>Legend: <br /></b>all calls coming from tenant-2 pod</div></div></div></foreignObject><text x="29" y="432" fill="#000000" font-family="Helvetica" font-size="10px">Legend:...</text></switch></g><path d="M 30 453 L 63.63 453" fill="none" stroke="#b85450" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 68.88 453 L 61.88 456.5 L 63.63 453 L 61.88 449.5 Z" fill="#b85450" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><rect x="77" y="440" width="599" height="85" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe flex-start; width: 597px; height: 1px; padding-top: 483px; margin-left: 79px;"><div data-drawio-colors="color: #000000; " style="box-sizing: border-box; font-size: 0px; text-align: left;"><div style="display: inline-block; font-size: 10px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">tenant-2 can not call tenant-1 directly. Rejected in tenant-1 istio-proxy.<br /><br />tenant-2 can not call tenant-1 via ingress-gateway. Rejected in tenant-1 istio-proxy.<br /><br />tenant-2 can not call tenant-1 via activator. Rejected in activator istio-proxy, as this is the last known place of the "real" source.<br />Note: as ingress-gateway can always call activator, this includes calls from tenant-2 via ingress-gateway to activator.</div></div></div></foreignObject><text x="79" y="486" fill="#000000" font-family="Helvetica" font-size="10px">tenant-2 can not call tenant-1 directly. Rejected in tenant-1 istio-proxy....</text></switch></g><path d="M 67 300 L 7 300 L 7 135 L 40.63 135" fill="none" stroke="#9673a6" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 45.88 135 L 38.88 138.5 L 40.63 135 L 38.88 131.5 Z" fill="#9673a6" stroke="#9673a6" stroke-miterlimit="10" pointer-events="all"/><path d="M 67 300 L 17 290 L 17 165 L 40.63 165" fill="none" stroke="#6c8ebf" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 45.88 165 L 38.88 168.5 L 40.63 165 L 38.88 161.5 Z" fill="#6c8ebf" stroke="#6c8ebf" stroke-miterlimit="10" pointer-events="all"/><path d="M 417 90 L 486 90 L 497 101 L 497 170.5 L 417 170.5 L 417 90 Z" fill="#fff2cc" stroke="#d6b656" stroke-miterlimit="10" pointer-events="all"/><path d="M 486 90 L 486 101 L 497 101 Z" fill-opacity="0.05" fill="#000000" stroke="none" pointer-events="all"/><path d="M 486 90 L 486 101 L 497 101" fill="none" stroke="#d6b656" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 78px; height: 1px; padding-top: 130px; margin-left: 418px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><span style="color: rgb(51, 51, 51); font-size: 10px;">Activator is the last place we know the "real" source</span></div></div></div></foreignObject><text x="457" y="134" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Activator is...</text></switch></g><path d="M 29 476.26 L 62.63 476.26" fill="none" stroke="#6c8ebf" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 67.88 476.26 L 60.88 479.76 L 62.63 476.26 L 60.88 472.76 Z" fill="#6c8ebf" stroke="#6c8ebf" stroke-miterlimit="10" pointer-events="all"/><path d="M 29 507 L 62.63 507" fill="none" stroke="#9673a6" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 67.88 507 L 60.88 510.5 L 62.63 507 L 60.88 503.5 Z" fill="#9673a6" stroke="#9673a6" stroke-miterlimit="10" pointer-events="all"/></g><switch><g requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"/><a transform="translate(0,-5)" xlink:href="https://www.diagrams.net/doc/faq/svg-export-text-problems" target="_blank"><text text-anchor="middle" font-size="10px" x="50%" y="100%">Text is not SVG - cannot display</text></a></switch></svg>
\ No newline at end of file
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="397px" height="271px" viewBox="-0.5 -0.5 397 271" content="&lt;mxfile host=&quot;drawio-plugin&quot; modified=&quot;2023-08-29T05:53:06.924Z&quot; agent=&quot;5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36&quot; etag=&quot;cfbwgYSIrnLQLHb-djBk&quot; version=&quot;20.5.3&quot; type=&quot;embed&quot;&gt;&lt;diagram id=&quot;SIUPIMZeMRZCnwsOkFFw&quot; name=&quot;Page-1&quot;&gt;7VvbbuM2EP2WPghIHmRQN0p6TLJXtAVSBGizj7RE20Rk0aXo2N6vLymRtkTJXtnxbbdJC6w0vIiaMzM8M5Qt72G6/MzQbPInTXFmuSBdWt4Hy3Ud6LqW/B+kKyUJYFRJxoykSrYRPJHvWAmBks5JiotGR05pxsmsKUxonuOEN2SIMbpodhvRrPnUGRrjluApQVlb+g9J+aSSRgHYyL9gMp7oJztAtUyR7qwExQSldFETeR8t74FRyqur6fIBZ1J7Wi/VuE9bWtcLYzjnvQaodbyibK5eznJhJsbeD5m4Gsurc0o4zlHObfEiEE1nQpAPi1nZE1ifgBV/smLfiuWSb/xbpUO+0sAwOs9TLN8NiDGLCeH4aYYS2boQtihkEz7NxJ0jLkckyx5oRpm4z2kuOt2nqJiUw2V7wRl9wbqH5XqRO/QgLBdjalkp/hUzjpc1kdL6Z0ynmLOV6KJa7UCrfqUF2kgWG5NyoJJN6uakjQcpMx6vZ98gLS4U2FuAd64TePfMmMIkwsPRkTANwUUxjS8Nactj26KXHHHyiu0Cs1eSj6/RzWH5J0fSnNfk1d+p3B8GfU3FOYKpRBc1FVJwQu1iVXA8/RXBbcWB84LrtcD9KhUuRF/zMcNFUbmmAcpnxPECrY6Hh9DqKJD/XQwHGJk4eB04uB04wCPA4LdguEtE7EOcsi4nkbGvxOmR0eUvBYMfBReEAW4PdVr5vz/9/aCFYrrhBpQGIqAC6a85nuNukMSTRQ6CfwwQKmZVYjIiSwmqiViKcDRKTk5YIDQcxI/byEQdwERHACbcD5j2hlKH6lI4BThK/ZMnC354QZycLg8yFZqndzKxFndJhoqCJE09NqOXGZ6iBCedxj6MAj8A6xadbDu71IrTRvK+ValgAGLgNtQat3QadOhUyxjOSi7beHqXotUSHikRS61RQHN3Eq868J148webcxZ0zhKspqkn9ebMfuS0Zm5OxREbY75jKt2RjkYFbvQpzWWtzn4huJ2Z3DhtWi+R+wMNcWb4YEbGuTQsgTQWhnEvHYckKLtTDVOSpnKOe8FtyHc0LOeTVjOTL1O+SHBvBR+6rUZbt+mN6/KRmtCqV2i6DcrxA9hQvPM2SzkqCE4X5z+mG2NHRMOwy41jGHoIdrqxwIGtnsWNLfwR+FryTT5i4EXrLh+W6qHV3ap+94gZEYqQtlEKt4aGyoEatKByhAZh6xtAxIqdwG0CbsPzhpDYDCFmwO8dMwLfrF2YJYnzxgz99Csz1yXhz7Xryk7dQN1urFTeNIz0uX5TH7bDunsZsne4IZ/LSgMzDQPBoTtbaKYS5lRbrPQACwzbebRmnmIWJDeICWKFUjr8dy6L9vdzPrKjza3JWYsZyhtGrDsmlf3dSX2PhzdCY2KBQP9zW2UjMkuzR2hKslXV9QvOXrHcDGvtRXleIlsdZ7asN1QPlS05ZVOU1dpeESOy/iq2VMTnTJ6u7OyXoNm2LgtlQrLRB5UdgwxzEaBt8fqJLPu1RlI2m6BcTelWMrEfc1vt/lK8JgC6jQjvztWTgH7VsoUzMdlIzK+fVJaGKpMvj39qj1lQljYXtp5LvMvwhYjp5JxVNLCV0zT6DVHyMi6jjW3g6AZBBWH94ra20hQnlAn3ornNJyR5yWV9phxOcsKJ1o/Zt4blzn615TT6jTKKuKmclBSzDK1094yIBhf8RqYzyjjKlR0bln3j3dYSssq+tc1fA8FbbyRHIHgg1OHmKihdR4mppXOty1Lvj7Qg0ixE05ByTqcdyubUyIGLCZrJyabLsTzPHQyR2GgHy4PyOEY5UgvYucHtVV3yDQ4UBIOgRcMcv73BOTtw65sdu8HPw1N60pQ16f7WYCVv4Ch+m6OE+5Ft4XtRGDWAds5LtU0Ss+bebycxraneQLWFocki/rqHCpHbX8wziT8EYPf6WyN07rBxmWoVBzOvrrj2zrzemdc78/qpmJfeGo/AvFwQNmu19jXV1ryuTy/+b0TMgwYRg6BdDTsVDfNPXd3scSLXl4aFu3lYL0bl7UufAhh7ZyVMPowHps8GQTyI/UNpEzRm86P4aLTpAKf3f2ant72g09TWfrRHAgaNGnjX4eSp/D5sl4lv3Cs5Wtqqy0OOloyTpava/rRjviX4HlwkP2a6DKz+6XJzt+gVtDvOnPaO474TGGGw42OaU8b19jcj5uFy74je/j4L9EuE905yQ3fLoreurTUCOoHhJrUk90SOFbYdqyT91xDd1k5/hOjmAaO2415TdDtChW9bdAv3jG5vYqHv0a1HdPOigRv5bui4figYp/khDTSavUNDn/lFV9+DzP1Dn/mluQ9/FPpaP02JLhD6tv9A5b0G+F4DtN5rgFUN0L3uGiA8Yg0QeGGzwnTBHEjcbn6lWXXf/NjV+/gf&lt;/diagram&gt;&lt;/mxfile&gt;"><defs/><g><rect x="218" y="150" width="160" height="120" fill="none" stroke="#82b366" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 210px; margin-left: 219px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><br /><br /><br /><br /><br /><br /><br />tenant-1  🔒 (4)</div></div></div></foreignObject><text x="298" y="214" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">tenant-1  🔒 (4)...</text></switch></g><rect x="28" y="150" width="160" height="120" fill="none" stroke="#6c8ebf" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 210px; margin-left: 29px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><br /><br /><br /><br /><br /><br /><br />tenant-2</div></div></div></foreignObject><text x="108" y="214" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">tenant-2...</text></switch></g><rect x="218" y="0" width="160" height="110" fill="none" stroke="#666666" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 55px; margin-left: 219px;"><div data-drawio-colors="color: #333333; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(51, 51, 51); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><br /><br /><br /><br /><br /><br />    knative-serving  🔒 (4)</div></div></div></foreignObject><text x="298" y="59" fill="#333333" font-family="Helvetica" font-size="12px" text-anchor="middle">knative-serving  🔒 (4)...</text></switch></g><rect x="28" y="0" width="160" height="110" fill="none" stroke="#666666" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 55px; margin-left: 29px;"><div data-drawio-colors="color: #333333; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(51, 51, 51); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><br /><br /><br /><br /><br /><br />istio-system</div></div></div></foreignObject><text x="108" y="59" fill="#333333" font-family="Helvetica" font-size="12px" text-anchor="middle">istio-system...</text></switch></g><rect x="48" y="20" width="120" height="60" fill="#f5f5f5" stroke="#666666" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 118px; height: 1px; padding-top: 50px; margin-left: 49px;"><div data-drawio-colors="color: #333333; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(51, 51, 51); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Istio Ingress <br />Gateway</div></div></div></foreignObject><text x="108" y="54" fill="#333333" font-family="Helvetica" font-size="12px" text-anchor="middle">Istio Ingress...</text></switch></g><rect x="243" y="20" width="120" height="60" fill="#f5f5f5" stroke="#666666" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 118px; height: 1px; padding-top: 50px; margin-left: 244px;"><div data-drawio-colors="color: #333333; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(51, 51, 51); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Activator<br />+ IstioProxy</div></div></div></foreignObject><text x="303" y="54" fill="#333333" font-family="Helvetica" font-size="12px" text-anchor="middle">Activator...</text></switch></g><ellipse cx="108" cy="200" rx="40" ry="40" fill="#dae8fc" stroke="#6c8ebf" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 78px; height: 1px; padding-top: 200px; margin-left: 69px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>KSVC</b> IstioProxy + QueueProxy</div></div></div></foreignObject><text x="108" y="204" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">KSVC IstioPro...</text></switch></g><ellipse cx="298" cy="200" rx="40" ry="40" fill="#d5e8d4" stroke="#82b366" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 78px; height: 1px; padding-top: 200px; margin-left: 259px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>KSVC<br /></b>IstioProxy + QueueProxy</div></div></div></foreignObject><text x="298" y="204" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">KSVC...</text></switch></g><path d="M 148 199.58 L 240.63 199.97" fill="none" stroke="#b85450" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 245.88 200 L 238.87 203.47 L 240.63 199.97 L 238.9 196.47 Z" fill="#b85450" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 199px; margin-left: 205px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">(1)</div></div></div></foreignObject><text x="205" y="202" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">(1)</text></switch></g><path d="M 134.03 169.63 L 238.38 47.7" fill="none" stroke="#9673a6" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 241.79 43.71 L 239.9 51.3 L 238.38 47.7 L 234.58 46.75 Z" fill="#9673a6" stroke="#9673a6" stroke-miterlimit="10" pointer-events="all"/><path d="M 168 35 L 236.63 35" fill="none" stroke="#9673a6" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 241.88 35 L 234.88 38.5 L 236.63 35 L 234.88 31.5 Z" fill="#9673a6" stroke="#9673a6" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 35px; margin-left: 208px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;"><span style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 11px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: center; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; float: none; display: inline !important;">(3)</span></div></div></div></foreignObject><text x="208" y="39" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">(3)</text></switch></g><path d="M 244 194.5 L 248.08 194.5 L 251 197.76 L 253.92 194.5 L 258 194.5 L 253.04 200 L 258 205.5 L 253.92 205.5 L 251 202.24 L 248.08 205.5 L 244 205.5 L 248.67 200 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><path d="M 363 50 L 388 50 L 388 110 L 330.79 167.21" fill="none" stroke="#9673a6" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 327.07 170.93 L 329.55 163.5 L 330.79 167.21 L 334.5 168.45 Z" fill="#9673a6" stroke="#9673a6" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 123px; margin-left: 374px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;"><span style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 11px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: center; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; float: none; display: inline !important;">(3)</span></div></div></div></foreignObject><text x="374" y="126" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">(3)</text></switch></g><path d="M 364 44 L 368.08 44 L 371 47.26 L 373.92 44 L 378 44 L 373.04 49.5 L 378 55 L 373.92 55 L 371 51.74 L 368.08 55 L 364 55 L 368.67 49.5 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><path d="M 168 65 L 261.45 156.54" fill="none" stroke="#6c8ebf" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 265.2 160.22 L 257.75 157.82 L 261.45 156.54 L 262.65 152.82 Z" fill="#6c8ebf" stroke="#6c8ebf" stroke-miterlimit="10" pointer-events="all"/><path d="M 262 160 L 266.08 160 L 269 163.26 L 271.92 160 L 276 160 L 271.04 165.5 L 276 171 L 271.92 171 L 269 167.74 L 266.08 171 L 262 171 L 266.67 165.5 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" transform="rotate(-35,269,165.5)" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 121px; margin-left: 224px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">(2)</div></div></div></foreignObject><text x="224" y="125" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">(2)</text></switch></g><path d="M 68 200 L 8 200 L 8 35 L 41.63 35" fill="none" stroke="#9673a6" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 46.88 35 L 39.88 38.5 L 41.63 35 L 39.88 31.5 Z" fill="#9673a6" stroke="#9673a6" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 87px; margin-left: 6px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">(3)</div></div></div></foreignObject><text x="6" y="90" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">(3)</text></switch></g><path d="M 68 200 L 18 190 L 18 65 L 41.63 65" fill="none" stroke="#6c8ebf" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 46.88 65 L 39.88 68.5 L 41.63 65 L 39.88 61.5 Z" fill="#6c8ebf" stroke="#6c8ebf" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 134px; margin-left: 17px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;"><span style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 11px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: center; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; float: none; display: inline !important;">(2)</span></div></div></div></foreignObject><text x="17" y="138" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">(2)</text></switch></g></g><switch><g requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"/><a transform="translate(0,-5)" xlink:href="https://www.diagrams.net/doc/faq/svg-export-text-problems" target="_blank"><text text-anchor="middle" font-size="10px" x="50%" y="100%">Text is not SVG - cannot display</text></a></switch></svg>
\ No newline at end of file
diff --git a/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc b/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc
index fb62bc21..1d3d7a82 100644
--- a/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc
+++ b/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc
@@ -16,6 +16,12 @@ The high-level architecture consists of `AuthorizationPolicies` in the `knative-
 
 image::service-mesh/multi-tenancy-service-mesh-Serving.drawio.svg[]
 
+. Workloads in project tenant-2 can not call workloads in project tenant-1 directly. Requests are rejected in the Istio proxies of tenant-1 workloads.
+. Workloads in project tenant-2 can not call workloads in project tenant-1 via ingress-gateway. Requests are rejected in the Istio proxies of tenant-1 workloads.
+. Workloads in project tenant-2 can not call workloads in project tenant-1 via activator. Requests are rejected in the Istio proxy of the activator component. Note: as ingress-gateway is allowed to call activator, this includes requests from project tenant-2 via ingress-gateway to activator.
+. 🔒 `AuthorizationPolicies` are applied in this project
+
+
 *Knative Eventing*
 
 image::service-mesh/multi-tenancy-service-mesh-Eventing.drawio.svg[]

From 9b83905f5827519fbbdf5e8e199d2129776b6243 Mon Sep 17 00:00:00 2001
From: Reto Lehmann <retocode@icloud.com>
Date: Tue, 29 Aug 2023 08:27:12 +0200
Subject: [PATCH 16/20] add pre-install verification steps

---
 .../common-service-mesh-setup.adoc            | 42 +++++++++++++++----
 1 file changed, 35 insertions(+), 7 deletions(-)

diff --git a/modules/serverless-common/pages/service-mesh/common-service-mesh-setup.adoc b/modules/serverless-common/pages/service-mesh/common-service-mesh-setup.adoc
index dbc27e0a..ff57a948 100644
--- a/modules/serverless-common/pages/service-mesh/common-service-mesh-setup.adoc
+++ b/modules/serverless-common/pages/service-mesh/common-service-mesh-setup.adoc
@@ -3,18 +3,46 @@
 // Metadata:
 :description: Setup {serverlessproductname} with {SMProductName}
 
-.Assumptions and limitations
+This page describes the integration of {serverlessproductname} with {smproductname}.
 
-This page describes the integration of {serverlessproductname} with {smproductname}. In this setup, it is assumed that:
+.Assumptions and limitations
 
-* All Knative internal components, as well as Knative Services, are part of the {smproductshortname} and have sidecars injection enabled. This means, that strict mTLS is enforced within the whole mesh. All requests to Knative Services require an mTLS connection  (the client must send its certificate), except calls coming from OpenShift Routing.
-* {serverlessproductname} with Kourier disabled can only target *one* service mesh. Multiple meshes can be present in the cluster, but {serverlessproductname} will only be available on one of them.
-* The mesh that {serverlessproductname} is part of has to be distinct and ideally only for {serverlessproductname} workloads, as additional configuration like `Gateways` might interfere with the automated configuration by {serverlessproductname}. Other namespaces can be part of this mesh, but must not configure the {smproductshortname} custom resource `Gateway` that could overlap with {serverlessproductname} `knative-local-gateway` and `knative-ingress-gateway`.
-* {smproductname} only allows one `Gateway` to claim a wildcard host binding (`hosts: *`) on the same port (`port: 443`). So the `knative-ingress-gateway` and `knative-local-gateway` have to be unique in the mesh. If another mesh is already binding this configuration, a separate mesh has to be created for {serverlessproductname} workloads.
-* Cluster external Knative Services are expected to be called via OpenShift Ingress using OpenShift Routes. It is not supported to access {smproductshortname} directly, e.g. by exposing the `istio-ingressgateway` using a Service with type `NodePort` or `LoadBalancer`.
+* All Knative internal components, as well as Knative Services, are part of the {smproductshortname} and have sidecars injection enabled. This means, that strict mTLS is enforced within the whole mesh. All requests to Knative Services require an mTLS connection (the client must send its certificate), except calls coming from OpenShift Routing.
+* {serverlessproductname} with {smproductshortname} integration can only target *one* service mesh. Multiple meshes can be present in the cluster, but {serverlessproductname} will only be available on one of them.
 * Changing the target `ServiceMeshMemberRole`, that {serverlessproductname} is part of (meaning moving {serverlessproductname} to another mesh) is not supported. The only way to change the targeted Service mesh is to uninstall and reinstall {serverlessproductname}.
 
 
+.Pre-install verification
+
+Before you install and configure the {smproductshortname} integration with {serverlessproductname}, please run the following pre-install verifications to make sure, the integration will work properly.
+
+. Check for conflicting gateways
++
+The mesh that {serverlessproductname} is part of has to be distinct and ideally only for {serverlessproductname} workloads, as additional configuration like `Gateways` might interfere with the {serverlessproductname} gateways `knative-local-gateway` and `knative-ingress-gateway`. {smproductname} only allows one `Gateway` to claim a wildcard host binding (`hosts: ["*"]`) on the same port (`port: 443`). If another `Gateway` is already binding this configuration, a separate mesh has to be created for {serverlessproductname} workloads. To check if an existing `Gateway` is already binding those, run:
++
+[source,terminal]
+----
+$ oc get gateway -A -o jsonpath='{range .items[*]}{@.metadata.namespace}{"/"}{@.metadata.name}{" "}{@.spec.servers}{"\n"}{end}' | column -t
+knative-serving/knative-ingress-gateway  [{"hosts":["*"],"port":{"name":"https","number":443,"protocol":"HTTPS"},"tls":{"credentialName":"wildcard-certs","mode":"SIMPLE"}}]
+knative-serving/knative-local-gateway    [{"hosts":["*"],"port":{"name":"http","number":8081,"protocol":"HTTP"}}]
+----
++
+This command should not return a `Gateway` that binds `port: 443` and `hosts: ["*"]`, except the `Gateways` in `knative-serving` and `Gateways`, that are part of another {smproductshortname} instance.
+
+. Check if {smproductshortname} is exposed as type `NodePort` or `LoadBalancer`
++
+Cluster external Knative Services are expected to be called via OpenShift Ingress using OpenShift Routes. It is not supported to access {smproductshortname} directly, e.g. by exposing the `istio-ingressgateway` using a Service with type `NodePort` or `LoadBalancer`. To check how your `istio-ingressgateway` is exposed, run:
++
+[source,terminal]
+----
+$ oc get svc -A | grep istio-ingressgateway
+istio-system   istio-ingressgateway  ClusterIP  172.30.46.146 none>   15021/TCP,80/TCP,443/TCP     9m50s
+----
++
+This command should not return a `Service` of type `NodePort` or `LoadBalancer`.
+
+
+
 .Prerequisites
 
 * You have access to an {product-title} account with cluster administrator access.

From e9fd1638400be4bc2dff9a7a1fb0bd1591cb1d18 Mon Sep 17 00:00:00 2001
From: Reto Lehmann <retocode@icloud.com>
Date: Thu, 31 Aug 2023 08:36:27 +0200
Subject: [PATCH 17/20] add page for Serving with OCP ingress sharding

---
 modules/ROOT/nav.adoc                         |  10 +-
 ...i-tenancy-service-mesh-Eventing.drawio.svg |   0
 ...ti-tenancy-service-mesh-Serving.drawio.svg |   0
 ...common-service-mesh-network-isolation.adoc |   0
 .../common-service-mesh-setup.adoc            |   1 -
 ...eventing-service-mesh-containersource.adoc |   0
 .../eventing-service-mesh-sinkbinding.adoc    |   0
 .../serving-with-ingress-sharding.adoc        | 123 ++++++++++++++++++
 8 files changed, 129 insertions(+), 5 deletions(-)
 rename modules/{serverless-common => serverless}/assets/images/service-mesh/multi-tenancy-service-mesh-Eventing.drawio.svg (100%)
 rename modules/{serverless-common => serverless}/assets/images/service-mesh/multi-tenancy-service-mesh-Serving.drawio.svg (100%)
 rename modules/{serverless-common => serverless}/pages/service-mesh/common-service-mesh-network-isolation.adoc (100%)
 rename modules/{serverless-common => serverless}/pages/service-mesh/common-service-mesh-setup.adoc (99%)
 rename modules/{serverless-common => serverless}/pages/service-mesh/eventing-service-mesh-containersource.adoc (100%)
 rename modules/{serverless-common => serverless}/pages/service-mesh/eventing-service-mesh-sinkbinding.adoc (100%)
 create mode 100644 modules/serverless/pages/serving/serving-with-ingress-sharding.adoc

diff --git a/modules/ROOT/nav.adoc b/modules/ROOT/nav.adoc
index d83e2ca4..d425021f 100644
--- a/modules/ROOT/nav.adoc
+++ b/modules/ROOT/nav.adoc
@@ -1,10 +1,12 @@
 * xref:index.adoc[Overview]
 * Serverless
 ** Using OpenShift Serverless with OpenShift Service Mesh
-*** xref:serverless-common:service-mesh/common-service-mesh-setup.adoc[Setup Serverless with OpenShift Service Mesh]
-*** xref:serverless-common:service-mesh/common-service-mesh-network-isolation.adoc[Use Service Mesh to isolate network-traffic]
-*** xref:serverless-common:service-mesh/eventing-service-mesh-containersource.adoc[Eventing: Using ContainerSource with OpenShift Service Mesh]
-*** xref:serverless-common:service-mesh/eventing-service-mesh-sinkbinding.adoc[Eventing: Using SinkBinding with OpenShift Service Mesh]
+*** xref:serverless:service-mesh/common-service-mesh-setup.adoc[Setup Serverless with OpenShift Service Mesh]
+*** xref:serverless:service-mesh/common-service-mesh-network-isolation.adoc[Use Service Mesh to isolate network-traffic]
+*** xref:serverless:service-mesh/eventing-service-mesh-containersource.adoc[Eventing: Using ContainerSource with OpenShift Service Mesh]
+*** xref:serverless:service-mesh/eventing-service-mesh-sinkbinding.adoc[Eventing: Using SinkBinding with OpenShift Service Mesh]
+** Serving
+*** xref:serverless:serving/serving-with-ingress-sharding.adoc[Use Serving with OpenShift ingress sharding]
 * Serverless Logic
 ** xref:serverless-logic:about.adoc[About OpenShift Serverless Logic]
 ** User Guides
diff --git a/modules/serverless-common/assets/images/service-mesh/multi-tenancy-service-mesh-Eventing.drawio.svg b/modules/serverless/assets/images/service-mesh/multi-tenancy-service-mesh-Eventing.drawio.svg
similarity index 100%
rename from modules/serverless-common/assets/images/service-mesh/multi-tenancy-service-mesh-Eventing.drawio.svg
rename to modules/serverless/assets/images/service-mesh/multi-tenancy-service-mesh-Eventing.drawio.svg
diff --git a/modules/serverless-common/assets/images/service-mesh/multi-tenancy-service-mesh-Serving.drawio.svg b/modules/serverless/assets/images/service-mesh/multi-tenancy-service-mesh-Serving.drawio.svg
similarity index 100%
rename from modules/serverless-common/assets/images/service-mesh/multi-tenancy-service-mesh-Serving.drawio.svg
rename to modules/serverless/assets/images/service-mesh/multi-tenancy-service-mesh-Serving.drawio.svg
diff --git a/modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc b/modules/serverless/pages/service-mesh/common-service-mesh-network-isolation.adoc
similarity index 100%
rename from modules/serverless-common/pages/service-mesh/common-service-mesh-network-isolation.adoc
rename to modules/serverless/pages/service-mesh/common-service-mesh-network-isolation.adoc
diff --git a/modules/serverless-common/pages/service-mesh/common-service-mesh-setup.adoc b/modules/serverless/pages/service-mesh/common-service-mesh-setup.adoc
similarity index 99%
rename from modules/serverless-common/pages/service-mesh/common-service-mesh-setup.adoc
rename to modules/serverless/pages/service-mesh/common-service-mesh-setup.adoc
index ff57a948..8d539719 100644
--- a/modules/serverless-common/pages/service-mesh/common-service-mesh-setup.adoc
+++ b/modules/serverless/pages/service-mesh/common-service-mesh-setup.adoc
@@ -42,7 +42,6 @@ istio-system   istio-ingressgateway  ClusterIP  172.30.46.146 none>   15021/TCP,
 This command should not return a `Service` of type `NodePort` or `LoadBalancer`.
 
 
-
 .Prerequisites
 
 * You have access to an {product-title} account with cluster administrator access.
diff --git a/modules/serverless-common/pages/service-mesh/eventing-service-mesh-containersource.adoc b/modules/serverless/pages/service-mesh/eventing-service-mesh-containersource.adoc
similarity index 100%
rename from modules/serverless-common/pages/service-mesh/eventing-service-mesh-containersource.adoc
rename to modules/serverless/pages/service-mesh/eventing-service-mesh-containersource.adoc
diff --git a/modules/serverless-common/pages/service-mesh/eventing-service-mesh-sinkbinding.adoc b/modules/serverless/pages/service-mesh/eventing-service-mesh-sinkbinding.adoc
similarity index 100%
rename from modules/serverless-common/pages/service-mesh/eventing-service-mesh-sinkbinding.adoc
rename to modules/serverless/pages/service-mesh/eventing-service-mesh-sinkbinding.adoc
diff --git a/modules/serverless/pages/serving/serving-with-ingress-sharding.adoc b/modules/serverless/pages/serving/serving-with-ingress-sharding.adoc
new file mode 100644
index 00000000..6ee2adf6
--- /dev/null
+++ b/modules/serverless/pages/serving/serving-with-ingress-sharding.adoc
@@ -0,0 +1,123 @@
+= Use Serving with {product-title} ingress sharding
+:compat-mode!:
+// Metadata:
+:description: Use Serving with {product-title} ingress sharding
+
+This page describes how {serverless} Serving can be used with {product-title} ingress sharding.
+
+.Prerequisites
+
+* You have access to an {product-title} account with cluster administrator access.
+
+* You have an existing {product-title} routing setup that uses ingress shards
+
+
+.Setting up {product-title} ingress shards
+
+{serverless} can be configured to match specific ingress shards with different domains with a label selector.
+The following is an example of how your ingress shard could be configured.
+The relevant fields are marked:
+
+[source,yaml]
+----
+apiVersion: operator.openshift.io/v1
+kind: IngressController
+metadata:
+  name: ingress-dev  <1>
+  namespace: openshift-ingress-operator
+spec:
+  routeSelector:
+    matchLabels:
+      router: dev  <2>
+  domain: "dev.serverless.cluster.example.com"  <3>
+  #... other settings ...
+---
+apiVersion: operator.openshift.io/v1
+kind: IngressController
+metadata:
+  name: ingress-prod  <1>
+  namespace: openshift-ingress-operator
+spec:
+  routeSelector:
+    matchLabels:
+      router: prod  <2>
+  domain: "prod.serverless.cluster.example.com"  <3>
+  #... other settings ...
+----
+<1> The names of your ingress shard, here as an example `dev` and `prod` for different stages
+<2> A label selector to match the ingress shard
+<3> A custom domain for the ingress shard
+
+Replace these values with your own configuration.
+
+.Configuring custom domains in the `KnativeServing` CustomResource
+
+To match the ingress shards, you need to configure `KnativeServing` to use the same domains and labels as your ingress shards.
+For this you need to create or edit your `KnativeServing` resource and add the `spec.config.domain` field:
+[source,yaml]
+----
+spec:
+  config:
+    domain: <1>
+      dev.serverless.cluster.example.com: |
+        selector:
+          router: dev
+      prod.serverless.cluster.example.com: |
+        selector:
+          router: prod
+----
+<1> These values have to match to the ones in the ingress shard configuration.
+
+.Targeting a specific ingress shard in the Knative Service
+
+You can now target a specific ingress shard in your Knative `Service` resources using a label:
+[source,yaml]
+----
+apiVersion: serving.knative.dev/v1
+kind: Service
+metadata:
+  name: hello-dev
+  labels:
+    router: dev  <1>
+spec:
+  template:
+    spec:
+      containers:
+      - image: docker.io/openshift/hello-openshift
+---
+apiVersion: serving.knative.dev/v1
+kind: Service
+metadata:
+  name: hello-prod
+  labels:
+    router: prod  <1>
+spec:
+  template:
+    spec:
+      containers:
+      - image: docker.io/openshift/hello-openshift
+----
+<1> This have to match the configuration in `KnativeServing`
+
+.Verification
+
+With this setup, your Knative Services should use the correct route and the selected ingress shard:
+[source,terminal]
+----
+$ oc get ksvc
+NAME         URL                                                             LATESTCREATED      LATESTREADY        READY   REASON
+hello-dev    https://hello-dev-default.dev.serverless.cluster.example.com    hello-dev-00001    hello-dev-00001    True
+hello-prod   https://hello-prod-default.prod.serverless.cluster.example.com  hello-prod-00001   hello-prod-00001   True
+----
+[source,terminal]
+----
+$ oc get route -n knative-serving-ingress -o jsonpath='{range .items[*]}{@.metadata.name}{" "}{@.spec.host}{" "}{@.status.ingress[*].routerName}{"\n"}{end}'
+route-19e6628b-77af-4da0-9b4c-1224934b2250-323461616533 hello-prod-default.prod.serverless.cluster.example.com ingress-prod
+route-cb5085d9-b7da-4741-9a56-96c88c6adaaa-373065343266 hello-dev-default.dev.serverless.cluster.example.com ingress-dev
+----
+
+[NOTE]
+====
+Please be aware that even with OpenShift ingress sharding in place, the {serverless} traffic is still routed through a single Knative Ingress Gateway and the activator component in the `knative-serving` project.
+Please also take a look at xref:./../service-mesh/common-service-mesh-network-isolation.adoc[] for more information about isolating the network traffic.
+====

From 4501ea901261c488148610c63ad2082dda9d3679 Mon Sep 17 00:00:00 2001
From: Reto Lehmann <retocode@icloud.com>
Date: Tue, 12 Sep 2023 15:04:39 +0200
Subject: [PATCH 18/20] add tabs to show verification steps with kn cli

---
 ...common-service-mesh-network-isolation.adoc | 143 ++++++++++++++----
 1 file changed, 116 insertions(+), 27 deletions(-)

diff --git a/modules/serverless/pages/service-mesh/common-service-mesh-network-isolation.adoc b/modules/serverless/pages/service-mesh/common-service-mesh-network-isolation.adoc
index 1d3d7a82..dd44a9d9 100644
--- a/modules/serverless/pages/service-mesh/common-service-mesh-network-isolation.adoc
+++ b/modules/serverless/pages/service-mesh/common-service-mesh-network-isolation.adoc
@@ -285,12 +285,32 @@ The helm chart has several options that can be passed to configure the generated
 This verification is assuming that we have two tenants with one namespace each, all part of the `ServiceMeshMemberRoll`, configured with resources listed above.
 We can then use curl to verify the connectivity:
 
-. Deploy Knative Services in both tenants namespaces and a `curl` pod to run test commands:
+. Deploy Knative Services in both tenants namespaces:
++
+[tabs]
+====
+Using the Knative CLI::
 +
 [source,terminal]
 ----
 # Team Alpha
-cat <<EOF | oc apply -f -
+kn service create test-webapp -n team-alpha-1 \
+    --annotation-service serving.knative.openshift.io/enablePassthrough=true \
+    --annotation-revision sidecar.istio.io/inject=true \
+    --env RESPONSE="Hello Serverless" \
+    --image docker.io/openshift/hello-openshift
+
+# Team Bravo
+kn service create test-webapp -n team-bravo-1 \
+    --annotation-service serving.knative.openshift.io/enablePassthrough=true \
+    --annotation-revision sidecar.istio.io/inject=true \
+    --env RESPONSE="Hello Serverless" \
+    --image docker.io/openshift/hello-openshift
+----
+Using YAML::
++
+[source,yaml]
+----
 apiVersion: serving.knative.dev/v1
 kind: Service
 metadata:
@@ -309,8 +329,32 @@ spec:
           env:
             - name: RESPONSE
               value: "Hello Serverless!"
-EOF
+---
+apiVersion: serving.knative.dev/v1
+kind: Service
+metadata:
+  name: test-webapp
+  namespace: team-bravo-1
+  annotations:
+    serving.knative.openshift.io/enablePassthrough: "true"
+spec:
+  template:
+    metadata:
+      annotations:
+        sidecar.istio.io/inject: 'true'
+    spec:
+      containers:
+        - image: docker.io/openshift/hello-openshift
+          env:
+            - name: RESPONSE
+              value: "Hello Serverless!"
+----
+====
 
+. Deploy a `curl` pod to test the connections:
++
+[source,terminal]
+----
 cat <<EOF | oc apply -f -
 apiVersion: apps/v1
 kind: Deployment
@@ -338,32 +382,78 @@ spec:
         - sleep
         - "3600"
 EOF
-
-# Team Bravo
-cat <<EOF | oc apply -f -
-apiVersion: serving.knative.dev/v1
-kind: Service
-metadata:
-  name: test-webapp
-  namespace: team-bravo-1
-  annotations:
-    serving.knative.openshift.io/enablePassthrough: "true"
-spec:
-  template:
-    metadata:
-      annotations:
-        sidecar.istio.io/inject: 'true'
-    spec:
-      containers:
-        - image: docker.io/openshift/hello-openshift
-          env:
-            - name: RESPONSE
-              value: "Hello Serverless!"
-EOF
 ----
 
 . Verification
 +
+[tabs]
+====
+Using the Knative CLI::
++
+[source,terminal]
+----
+# Test team-alpha-1 -> team-alpha-1 via cluster local domain (allowed)
+oc exec deployment/curl -n team-alpha-1 -it -- curl -v http://test-webapp.team-alpha-1:80
+
+HTTP/1.1 200 OK
+content-length: 18
+content-type: text/plain; charset=utf-8
+date: Wed, 26 Jul 2023 12:49:59 GMT
+server: envoy
+x-envoy-upstream-service-time: 9
+
+Hello Serverless!
+
+
+# Test team-alpha-1 -> team-alpha-1 via external domain (allowed)
+oc exec deployment/curl -n team-alpha-1 -it -- curl -ik $(kn service describe test-webapp -o url -n team-alpha-1)
+
+HTTP/2 200
+content-length: 18
+content-type: text/plain; charset=utf-8
+date: Wed, 26 Jul 2023 12:55:30 GMT
+server: istio-envoy
+x-envoy-upstream-service-time: 3629
+
+Hello Serverless!
+
+
+# Test team-alpha-1 -> team-bravo-1 via cluster local domain (not allowed)
+oc exec deployment/curl -n team-alpha-1 -it -- curl -v http://test-webapp.team-bravo-1:80
+
+* processing: http://test-webapp.team-bravo-1:80
+*   Trying 172.30.73.216:80...
+* Connected to test-webapp.team-bravo-1 (172.30.73.216) port 80
+> GET / HTTP/1.1
+> Host: test-webapp.team-bravo-1
+> User-Agent: curl/8.2.0
+> Accept: */*
+>
+< HTTP/1.1 403 Forbidden
+< content-length: 19
+< content-type: text/plain
+< date: Wed, 26 Jul 2023 12:55:49 GMT
+< server: envoy
+< x-envoy-upstream-service-time: 6
+<
+* Connection #0 to host test-webapp.team-bravo-1 left intact
+RBAC: access denied
+
+
+# Test team-alpha-1 -> team-bravo-1 via external domain (allowed)
+oc exec deployment/curl -n team-alpha-1 -it -- curl -ik $(kn service describe test-webapp -o url -n team-bravo-1)
+
+HTTP/2 200
+content-length: 18
+content-type: text/plain; charset=utf-8
+date: Wed, 26 Jul 2023 12:56:22 GMT
+server: istio-envoy
+x-envoy-upstream-service-time: 2856
+
+Hello Serverless!
+----
+Using OC client::
++
 [source,terminal]
 ----
 # Test team-alpha-1 -> team-alpha-1 via cluster local domain (allowed)
@@ -428,6 +518,7 @@ x-envoy-upstream-service-time: 2856
 
 Hello Serverless!
 ----
+====
 
 . Cleanup
 +
@@ -439,5 +530,3 @@ oc delete deployment/curl -n team-alpha-1
 oc delete ksvc/test-webapp -n team-alpha-1
 oc delete ksvc/test-webapp -n team-bravo-1
 ----
-
-

From e6866aff0de2057b7bfc747d5348156483fa424a Mon Sep 17 00:00:00 2001
From: Pierangelo Di Pilato <pierdipi@redhat.com>
Date: Mon, 18 Sep 2023 10:31:59 +0200
Subject: [PATCH 19/20] Update eventing diagram to use textual legend and a
 tenant-sliced version of the diagram

Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>
---
 .../multi-tenancy-service-mesh-Eventing.drawio.svg         | 2 +-
 .../common-service-mesh-network-isolation.adoc             | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/modules/serverless/assets/images/service-mesh/multi-tenancy-service-mesh-Eventing.drawio.svg b/modules/serverless/assets/images/service-mesh/multi-tenancy-service-mesh-Eventing.drawio.svg
index 430ed33e..2ab99e8e 100644
--- a/modules/serverless/assets/images/service-mesh/multi-tenancy-service-mesh-Eventing.drawio.svg
+++ b/modules/serverless/assets/images/service-mesh/multi-tenancy-service-mesh-Eventing.drawio.svg
@@ -1,4 +1,4 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!-- Do not edit this file with editors other than draw.io -->
 <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
-<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="851px" height="592px" viewBox="-0.5 -0.5 851 592" content="&lt;mxfile host=&quot;app.diagrams.net&quot; modified=&quot;2023-07-12T13:21:07.243Z&quot; agent=&quot;Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36&quot; etag=&quot;MzNSYjKCrewUaZhcTdKm&quot; version=&quot;21.5.0&quot; type=&quot;device&quot; pages=&quot;2&quot;&gt;&lt;diagram id=&quot;SIUPIMZeMRZCnwsOkFFw&quot; name=&quot;Serving&quot;&gt;7VxZk6M2EP41fkiqTHGIw4+zM3tVNlWTTFWy+yiDbMhg5IB87a+PBAiDJNtgY+ypzKQqCy0hQffXh1otj6zHxfZzCpfh7zhA8cjUg+3IehqZpmUCnf7DKLuCYlqGV1DmaRQUNGNPeIl+opJYPjhfRQHKGh0JxjGJlk2ij5ME+aRBg2mKN81uMxw3Z13COZIILz6MZerfUUDCgurZ+p7+BUXzkM9s6GXLAvLOJSELYYA3NZL1cWQ9phiT4mqxfUQx4x7nS/HcpwOt1YulKCGtHijfYw3jVflxI9OJ6bMfpim9mrOrISkEJTAhY0Nu+VXjbVq29jU/XmUEpVqMqVxKZpIdl1CKV0mA2Efq9NFNGBH0soQ+a91QUFJaSBYxvTPo5SyK40cc45TeJzihnT4EMAvzx1l7RlL8iniPkWl55tRynPz9RXaXElijlKBtjVSy/zPCC0TSHe1Sto5tjoVSG8YO14/NHluGU9LCOq44EZZ4nlej70VOL0qpH0CAcZ8IUL8FXDDZJdNsWUeEeXNEOL6HprOeEOEaN0XE5NaAaAh5xNRDIr0mkERrNM5Quo6S+cDSDpypYzP9j+EUxc84i0iEE9rmU6kj2ukDk3ZEYfhN6EAwmxvG0VzZ/aFsmGJC8OJaBsadtIWT0QOcvJvCKcoo58fZjlqGxcAomTiuBd8MSiSjMyxKLAklX5nkKOlrMk9RlhV2QJDuZ0jQBu76EywVGzICG7lHBdoHv52JyG9XwW9Twe8+bDyQ2P3gU4MKCU5VWsVMbi6P5xRv+2X3bDYzff+ole2D3WBi35DdzmEbyJn828tfj5xIh5vumd/gvF4I448VWiG1MOjMdB2ETgsCZsticTSLtkx4omQCiLyZUjK9RjuOK0Y7liwZTyEYrwfBuN0EI3uauqhuJScbeQG4+joFeDeUk2EqBCUyNAke2OKeucwYZlnkN/nYtFKUE+nue/3mB7vRTJvfP23rrU+78q4794sWnikwj8mDwHSOSMMloqCRjJAFVGO/rWA/p6UozmPmxnwqmZQzPOOIvlwtQHBEh2XbzUEyvEp9VD5XTzpIQ4kqXxH4UAUfpKFymFSf3g45cmRxIXL6AADaRuR7OTq7rmOP3u6hx252owshexBuhcQacKsjENwXAm0JNrYAm9YItPVTYO4RgXKwdQ8I5GAyGmA6F0l12Lj3BRtLdFyuuGBpDRvgiVEkuB5s7LuEjdJwuW0Nl6YDIBgv7wTk8rtnlEaUd2wZfJFFuzNo2pJPFfF0n9CU1zPmLz2D8/Tio0NYdVLeJRd1DZie0+CjIQe5V0WEmBagBPpS54JiYkijtQLFfijeEc9mGboYOHIy0LgUOIeiIrdrIH8O4pTm8KgtbGW5HNlytY3FuOipZTU8c1jsio6WEih29epPGLJ9tCbmJk8MPCyoedKoT1BfDZvaeUuM/8sK4236Y0U6V8Lfob2GahNB3F0oNiFqCM1CuGSDLbZzVtehTSEFsbZVpHQ9H6lTulPPBraeo53A8gWOwqdThheIvs7WbMkA8tVYcwfjMFLaZqhMOVwH92QFqtC7tASGxsxmy6gdmGbTHpTPHgvb6VBi1H5+KA9k09E2lK9CO91zvQZCjGG9o2RbrP6WoeJQA3tAeT1whgc81/f0qiUdfKW/StfV7m8rFCvCurZJ3grF1kR3m8Lnww62QjE017Bd03Nt07Y8YYXh6B5d0wPTNUzgAkec4PyYz5m4WjsPSlHG9oSrbkvWITvySa60teE0yuboRTHmNZXIarFJ+LAiIU6jn7nvfMZx5O/abU3NUubjH84st5Hu80FmOGfCXsOdf1eYN4yzvGqTzqgb+nJbPFa2iy+aLWGiHGiKt2wcVuCTjzTFaYDSMSUXb7qg8o+Soo1PQnUwCKonKmrxqEDMX3QN04gVkSWrBfVMftElSkJ6QxTdEMzImEY+MDnUk1oXRPxQ0RxHCRpznZRaeQA2Lgs/8i+GGWJPCfzTcwPa4BWhFo1x8RXl0CfpijJTYnkCFyhjO41ZDSUF/99lcjWZLFeJT1ZFwCtrQa6WTQ2zayPXKmL5k/aTomwSt9XvEGfUGuaf0pjoeIHt0clPgImSC2PByUJkcGIDXL3wCLBP0ZFwg1NWiRuKiKBaj/CKqhjNyNHlSR/rESmT56kKqlyFp+Zh6kX1VC0qG969ybvlevcmb04mfXgTczhvoizOf/cmXbNb4nJoWG+iOhPwVhKMY/Po3mCnFKMl5F14XdoACUYgbzMcS7GUJeoHc4vNHIhR4v4TXEQx+7ovKF4jJi6VQtD7Gs+LLZhRI2FY5Wx+1JM7vezwN7InTsv0yUC5EeB4AkDEwrb2OT7x1Ianm62yH2ekHoDqDNhdQasdGu6susMSdyRc99xsmFS+fk00HD0coEfsKAYJEYt2aKTExBIzX0vZyv73mlCM8A57R5+ihtuv8qIizLodJTgTVsWfwq/Y7D+VX3Hyv57ciAXEnQBP4cuBApnA6cGPdKsru4UfOSMZf6CcsZ+Na6DYfrq3nWsRU45Y6dPB1kib4FerzgZyQZB1T7umXWonWkGp836P7fCgc6gYxp1orimCaaJxZ9YdT9Jo/IjxbXYrwZtezFi2EmqVInVYzTjNSse94g+wmrG7rWYGqm4+qML3YualU7rg7CIC6dydNFR/Zt4+8iMTPI/zDc2pwNsloCWoUMwTQf8aYi+jGMUZbiGLI+r1IgoCNokyFBUAeLVFziXHuIEjK7UqtOzjELd99bNWw1aF30ypDV0TjewFeq0YrUfVlleL1Y5lnhWGefcsxJs8eQ1JyBaQVBpFG95QYb+r86HD0c5ENNKKkkZ3ciV9lpeK1f6BYp9BMt2sCEzf7zjofr4L5BeIiIrfdRjP+W846JCZfx3Wcg1BlCKfxDtNHttUjp1gsp9hv3NeH0j/E/1Drxnq6Ds0uxW/FrJk57UVU1qdplxHUP7Ki+YHZ8xfcVM1M2ykdaqpR+ZjARyWxsnTPXLOh6V5cn0ucz94Nmqd9NHe9b29vhtAUcRsTxQabwOxPq6FztPb/a/NFeZ//6N91sf/AA==&lt;/diagram&gt;&lt;diagram id=&quot;3ncZUew1-WGYs9gJAp3X&quot; name=&quot;Eventing&quot;&gt;7Vxrk6K4Gv411tnZKikIF/FjT/fM2TpnzlbXTtVePkaIktNIXIit7q/fJBAuSVS00XZmdaqmIYSQ5H3e+wsj93G5/XcOV8n/SIzSEbDj7ch9GgEAAnvC/vCWXdniuGBatixyHFdtTcNX/BeqGu2qdY1jVHQ6UkJSilfdxohkGYpopw3mOdl0u81J2n3qCi6Q1vA1gqne+huOaVK2hr7dtP+E8CKRT3bs6soSys5VQ5HAmGxaTe6nkfuYE0LLo+X2EaV89+S+lPd93nO1nliOMtrnhj+eP8GnAiH0n19//5Klz+HLb7NxNcorTNfVgkcgSNl4H2c5O1rwo2u2UJTBjPJpqVd+tOQ1q3iNrChdFxTlVkoYraoNpjtJtZyssxjxhdvs1k2CKfq6ghG/umFAZW0JXabszGGHc5ymjyQlOTvPSMY6fYxhkYjb+fWC5uQFyR4j4IZg5gaBmL/YPJRTtN1LFaemNeMSRJaI5jvWpbrBk0iqGMQNq/NNgzYnqNqSNtJkI6wQvqjHbkDADiocnIAJcJuYMM8CLjk1s1mxamMEvDtGgihEs/kwGAG3hxH3vTHSofuIiz6t6SWDFL+iMXpl+4yzxZUREAezwOdSIoUzlD6TAlNMMnYtYtNBrNNHDgrMoPlF6UAJfzZM8cLY/aG6MCOUkuVlIAZcHWKub4KYcymIeRrEfkERYgTNhyMkIxNyYh9NTAScBhMXDiTmwUTZX9/AwsCwvxfjYF/b3q+IbeKwmzufz0EUHeSOIXRo4N/Y5gYG8ahsK9vsB26fcg5PYVHgqLuT3W1nO5Hvfucn1sSX539UXcXJ07bd9WlXnSkEYVgPY++gUVNekcYuqEmEYs1SVgjE1kfWeYSO25sU5gtEjzG/TvAWQU3CSLblKBWiv+sNGIhcPeGZYLaQhllthVklvuQQ5TKru9omtzKQM93D9XKgch+0gQTm6mWfD8PJ0DAcAk1oi2kbyey0BjI7bnDMT3YjHf+u02aAsW3ZDjjCBeLsGeWY7SjXpaJxQFj7PWG9R45dB9Z+qJiRquruC2tfMRY8+7qwDjVYOx9OBnaDqDaabMs/UaBCFM6NGq72AHQWiNb5a204DghD8DbpWpHXttypjNtUFB6DQNOolxTAitz03DORqnnXAFiKLN+DVYYduGt1W/EOxf4pOypzBZ1oDDsoR1TulsOT+bxAF2GWqUEHVP6UdKce1jQhOf4Lcv/jmaQ42u33wtgk6hvnOfc/Hs500LRzMciciI1pODn4c03khXEhAoTsibZjr7blbdV1daLFCmbGgWZky8fhHqEYaUZyZveOWXM50yVDBM7Ka/IhjB3juL6jbi1vVRrFRF9hjnkkIlsvmdqJyi44S9gJNXRDsKBjWLDjfT2ZFEE0SgyXU5yhseRC7ar0GseVPylWDAvE71L2zxaCsrNXlEkuvosvSDADzddsM7Utz+ASFdwnKFooKff/TpOL0WS1ziK6Fkxr4ALBll0O81sjtwKt8k7/yRB7I335OyEFk49iKZ0HHY7bHny44SkrSBPTUxjemhV9/vH4wIdQyppLKSSbFdPiiA9cJHDFryy3C54UsRhlcWTFJGKwy6QkqzIdjsGkmIcREk6zjAClaE5NFsYs9LmCG8SHdtyu/jKFGCfG+E+4X7u/yYeW1uldc92l5F1zfVc0GUJzgetpLmM2aXjNBe6a6xzN5br+rWkuU1Z9f3iiyibtDbp14wdORYbPcIlTvuSfUPqKOFOa6MPOW9tui9+oE047KZpsjKM1AT3QDujVMTxjQG/AqIfXM+oxfc/gmzcFHZRqoeDewTdPiSmrML5w8M0BNw9uc4D55vDo2KN3BKQfBF0cedMzY2xq9u3agNRrEZpEsY0LTooEccuGWUWcpClXf2yb+X8vGUOp7NDo3hx1VLwkutWnOEGmUe2CHRSdYf+bjX+WBmdn+ATB8p4NZqSX88lR+dh/8VGy5ka+s3K9Kuudlq09k9XKn0H/+/yfSeEH4jeMwlcFoKFUwfGMCv9S6V5Hr1W4UZnotAWi5R8UifsyJOBYimRAWSqZ+7YTxh5Qgv9n5yvUMpFQGejSslSvCjkE5CtljPvi6b3I7yhZJn96JvnVegFtoEuT31S3ooTcvqAFQ0C/KJuGHSb0qeJydnBQSUZDrZ3iUaq1cEscx/whRo2nIPKtsnQAFaYhJtB1mFGFXUyDXbxU5Jw8+bfG+IE9tcIzzWiV901jXZr99cKKOqkiAldQjFEkZCOieCKixV+zQOU1smHUv7P8HpafOl2WD32N5Z3J9Jo8r5cG1JFIQwxWk/i86MZuYpd2JCLkUQmSti8lnbGWwxNj1kxTEZrn2kQ4S5zXea22cNlIywHiDThrnua0/aGOU2YM0IuAfFSS9UEsOP9hPG63fxiZ8jHAuMCM0GaZrQnJJbH52L+g/7Njzg3avHFBMRmvcrLdGdxJ90NtFbNFP/Jbc7xYoLw6qzZrPSuiHM9Ec+cJoL0zxdE5b0j+khIYFydN+s7hvTg8sH1L53F/auDxwFPLkoZ7m0dPo7qnV8sNr9v3RI17l4F6oC76LN1S2z4ret3XxhiwCvQIjthSwknYgZKjw+iC3qzihJ5fJyrjInKgnu7MNcvj5PYcMnz3vadTv4CjCq7yBZ6jibWtIYImM2j7U2Y5obCawECCy1MElxtMddPEM1gmB6D1NpkFDES5l37cywzupR/fOk3eVPqhv9F5sFhik6DsfE4X8NEnlKM/16igVpmyKdj8OlmdntUghiYh7EwVIj1LNe+lIZpiCwLFkpnohlQdd7lObQgwvTl9k6ki8WKVN2rni7zgsHXOTrTiEGmxd17aum4SSW7xbb+e5aq5H/Xt1N5JJEcZ6MoJeWDKht6tt7ulcLfevnWa3K23c603cLfeeltvO0WPvaO1dlo9xLdS2HPITlOKfa5ppvUtnATvaaYFQffVaM898+MQgWKmaS85X9pMG/wjJUOmBRzLBqCDadcFJ6N6SHT2BefkoEvKExdht/LWIOau6GZ4YGr5od38vDO9Dhk0PhHOVw3296hy+e6D/W6g0N8zZCmvG+7X6040h/GleI16lZix5+FVsS9r3CITLFblB0PneMtF2BniawByADVENdWlgenTfpf7+mOPD0Z8p7RwvRujhRSh/0TG8BTGqD8y9G7EOPCt3O+cMdR3zi5IC3bafBK51PvNl6XdT38D&lt;/diagram&gt;&lt;/mxfile&gt;" style="background-color: rgb(255, 255, 255);"><defs/><g><rect x="450" y="300" width="160" height="160" fill="none" stroke="#82b366" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 380px; margin-left: 451px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><br /><br /><br /><br /><br /><br /><br />tenant-1<br />*.tenant-1.svc.cluster.local</div></div></div></foreignObject><text x="530" y="384" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">tenant-1...</text></switch></g><rect x="250" y="300" width="160" height="160" fill="none" stroke="#6c8ebf" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 380px; margin-left: 251px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><br /><br /><br /><br /><br /><br /><br />tenant-2<br /> *.tenant-2.svc.cluster.local</div></div></div></foreignObject><text x="330" y="384" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">tenant-2...</text></switch></g><rect x="250" y="150" width="350" height="110" fill="none" stroke="#d6b656" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-end; justify-content: unsafe center; width: 348px; height: 1px; padding-top: 147px; margin-left: 251px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><br /><br /><br /><br /><br /><br />    knative-eventing</div></div></div></foreignObject><text x="425" y="147" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">knative-eventing...</text></switch></g><rect x="270" y="170" width="120" height="60" fill="#e1d5e7" stroke="#9673a6" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 118px; height: 1px; padding-top: 200px; margin-left: 271px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Receiver</div></div></div></foreignObject><text x="330" y="204" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Receiver</text></switch></g><rect x="465" y="170" width="120" height="60" fill="#fff2cc" stroke="#d6b656" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 118px; height: 1px; padding-top: 200px; margin-left: 466px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Sender</div></div></div></foreignObject><text x="525" y="204" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Sender</text></switch></g><path d="M 450 309.41 L 366.18 235.45" fill="none" stroke="#82b366" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 361.68 231.48 L 370.32 233.77 L 366.18 235.45 L 365.03 239.77 Z" fill="#82b366" stroke="#82b366" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><path d="M 555 230 L 565.53 289.97" fill="none" stroke="#82b366" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 566.57 295.88 L 561.25 288.69 L 565.53 289.97 L 569.13 287.31 Z" fill="#82b366" stroke="#82b366" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><path d="M 250 326.67 Q 180 280 263.84 205.47" fill="none" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 268.33 201.49 L 265.01 209.79 L 263.84 205.47 L 259.69 203.81 Z" fill="#6c8ebf" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 261px; margin-left: 240px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">1)</div></div></div></foreignObject><text x="240" y="264" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">1)</text></switch></g><path d="M 298.28 16.86 L 298.28 118 L 130 118 L 130 0 L 274.24 0 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><path d="M 274.24 0 C 276.2 3.94 272.98 8.01 265.66 10.84 L 298.28 17.22" fill="none" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe flex-start; width: 168px; height: 1px; padding-top: 59px; margin-left: 132px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: left;"><div style="display: inline-block; font-size: 10px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>AuthorizationPolicy<br /></b>from:<br />    <font style="font-size: 10px;"><span class="token key atrule" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;">namespaces</span><span class="token punctuation" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;">: ["tenant-1"]<br />to:<br />  hosts: ["*.tenant-1.svc.cluster.local"]<br />  paths: ["/tenant-1/*"]<br /></span></font></div></div></div></foreignObject><text x="132" y="62" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="10px">AuthorizationPolicy...</text></switch></g><path d="M 503.28 16.86 L 503.28 118 L 335 118 L 335 0 L 479.24 0 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><path d="M 479.24 0 C 481.2 3.94 477.98 8.01 470.66 10.84 L 503.28 17.22" fill="none" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe flex-start; width: 168px; height: 1px; padding-top: 59px; margin-left: 337px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: left;"><div style="display: inline-block; font-size: 10px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>AuthorizationPolicy<br /></b>from:<br />    <font style="font-size: 10px;"><span class="token key atrule" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;">namespaces</span><span class="token punctuation" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;">: ["tenant-2"]<br />to:<br />  hosts: ["*.tenant-2.svc.cluster.local"]<br />  paths: ["/tenant-2/*"]<br /></span></font></div></div></div></foreignObject><text x="337" y="62" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="10px">AuthorizationPolicy...</text></switch></g><path d="M 300 170 L 215 118" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 360 170 L 388.11 118" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><rect x="40" y="150" width="140" height="110" fill="#f5f5f5" stroke="#666666" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 138px; height: 1px; padding-top: 205px; margin-left: 41px;"><div data-drawio-colors="color: #333333; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 10px; font-family: Helvetica; color: rgb(51, 51, 51); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Receiver is the last place we know the "real" source.<br /><br />Sender sends "Kn-Namespace" header with the resource's namespace as value</div></div></div></foreignObject><text x="110" y="208" fill="#333333" font-family="Helvetica" font-size="10px" text-anchor="middle">Receiver is the last place w...</text></switch></g><path d="M 180 205 L 270 185" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 150 510 L 181.76 510" fill="none" stroke="#82b366" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 187.76 510 L 179.76 514 L 181.76 510 L 179.76 506 Z" fill="#82b366" stroke="#82b366" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><rect x="150" y="480" width="40" height="10" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe flex-start; width: 38px; height: 1px; padding-top: 485px; margin-left: 152px;"><div data-drawio-colors="color: #000000; " style="box-sizing: border-box; font-size: 0px; text-align: left;"><div style="display: inline-block; font-size: 10px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>Legend<br /></b></div></div></div></foreignObject><text x="152" y="488" fill="#000000" font-family="Helvetica" font-size="10px">Legend&#xa;</text></switch></g><path d="M 150 529.89 L 181.76 529.89" fill="none" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 187.76 529.89 L 179.76 533.89 L 181.76 529.89 L 179.76 525.89 Z" fill="#6c8ebf" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><rect x="191" y="505" width="179" height="10" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe flex-start; width: 177px; height: 1px; padding-top: 510px; margin-left: 193px;"><div data-drawio-colors="color: #000000; " style="box-sizing: border-box; font-size: 0px; text-align: left;"><div style="display: inline-block; font-size: 10px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">tenant-1: all shown paths are allowed</div></div></div></foreignObject><text x="193" y="513" fill="#000000" font-family="Helvetica" font-size="10px">tenant-1: all shown paths are allow...</text></switch></g><rect x="191" y="525.5" width="599" height="64.5" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe flex-start; width: 597px; height: 1px; padding-top: 558px; margin-left: 193px;"><div data-drawio-colors="color: #000000; " style="box-sizing: border-box; font-size: 0px; text-align: left;"><div style="display: inline-block; font-size: 10px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">tenant-2: <br />1) tenant-2 can call "receiver" directly and send events to resources in tenant-1 namespace.<br style="border-color: var(--border-color);" />2) tenant-2 can not call tenant-1 directly. Rejected in tenant-1 istio-proxy.<br />3) sources, triggers, and subscribers in tenant-2 namespaces can not call tenant-1 workloads. Rejected in tenant-1 istio-proxy.</div></div></div></foreignObject><text x="193" y="561" fill="#000000" font-family="Helvetica" font-size="10px">tenant-2:...</text></switch></g><path d="M 495 230 L 496.64 280.78" fill="none" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 496.84 286.78 L 492.58 278.91 L 496.64 280.78 L 500.58 278.65 Z" fill="#6c8ebf" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 263px; margin-left: 497px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">3)</div></div></div></foreignObject><text x="497" y="266" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">3)</text></switch></g><path d="M 491 289 L 495.08 289 L 498 292.26 L 500.92 289 L 505 289 L 500.04 294.5 L 505 300 L 500.92 300 L 498 296.74 L 495.08 300 L 491 300 L 495.67 294.5 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><path d="M 848.08 307.86 L 848.08 409 L 660 409 L 660 291 L 821.21 291 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><path d="M 821.21 291 C 823.4 294.94 819.8 299.01 811.62 301.84 L 848.08 308.22" fill="none" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe flex-start; width: 188px; height: 1px; padding-top: 350px; margin-left: 662px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: left;"><div style="display: inline-block; font-size: 10px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>AuthorizationPolicy<br /></b>from:<br />    <font style="font-size: 10px;"><span class="token key atrule" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;">namespaces</span><span class="token punctuation" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;">: ["knative-eventing"]<br />when:<br />    key: request.headers[Kn-Namespace]<br />    values: ["tenant-1"]<br /></span></font></div></div></div></foreignObject><text x="662" y="353" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="10px">AuthorizationPolicy...</text></switch></g><path d="M 657.34 345.28 L 610 340" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 188.08 346.86 L 188.08 448 L 0 448 L 0 330 L 161.21 330 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><path d="M 161.21 330 C 163.4 333.94 159.8 338.01 151.62 340.84 L 188.08 347.22" fill="none" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe flex-start; width: 188px; height: 1px; padding-top: 389px; margin-left: 2px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: left;"><div style="display: inline-block; font-size: 10px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>AuthorizationPolicy<br /></b>from:<br />    <font style="font-size: 10px;"><span class="token key atrule" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;">namespaces</span><span class="token punctuation" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;">: ["knative-eventing"]<br />when:<br />    key: request.headers[Kn-Namespace]<br />    values: ["tenant-2"]<br /></span></font></div></div></div></foreignObject><text x="2" y="392" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="10px">AuthorizationPolicy...</text></switch></g><path d="M 190 389 L 250 380" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 413.52 353.12 L 427.81 351.61" fill="none" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 433.78 350.98 L 426.24 355.8 L 427.81 351.61 L 425.4 347.84 Z" fill="#6c8ebf" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><path d="M 436 344.5 L 440.08 344.5 L 443 347.76 L 445.92 344.5 L 450 344.5 L 445.04 350 L 450 355.5 L 445.92 355.5 L 443 352.24 L 440.08 355.5 L 436 355.5 L 440.67 350 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><ellipse cx="290" cy="340" rx="29.999999999999996" ry="29.999999999999996" fill="#dae8fc" stroke="#6c8ebf" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 58px; height: 1px; padding-top: 340px; margin-left: 261px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>ksvc</b></div></div></div></foreignObject><text x="290" y="344" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">ksvc</text></switch></g><ellipse cx="370" cy="340" rx="29.999999999999996" ry="29.999999999999996" fill="#dae8fc" stroke="#6c8ebf" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 58px; height: 1px; padding-top: 340px; margin-left: 341px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>svc</b></div></div></div></foreignObject><text x="370" y="344" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">svc</text></switch></g><ellipse cx="490" cy="350" rx="29.999999999999996" ry="29.999999999999996" fill="#dae8fc" stroke="#6c8ebf" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 58px; height: 1px; padding-top: 350px; margin-left: 461px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>ksvc</b></div></div></div></foreignObject><text x="490" y="354" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">ksvc</text></switch></g><ellipse cx="570" cy="350" rx="29.999999999999996" ry="29.999999999999996" fill="#dae8fc" stroke="#6c8ebf" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 58px; height: 1px; padding-top: 350px; margin-left: 541px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>svc</b></div></div></div></foreignObject><text x="570" y="354" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">svc</text></switch></g></g><switch><g requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"/><a transform="translate(0,-5)" xlink:href="https://www.drawio.com/doc/faq/svg-export-text-problems" target="_blank"><text text-anchor="middle" font-size="10px" x="50%" y="100%">Text is not SVG - cannot display</text></a></switch></svg>
\ No newline at end of file
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="832px" height="483px" viewBox="-0.5 -0.5 832 483" content="&lt;mxfile host=&quot;app.diagrams.net&quot; modified=&quot;2023-09-18T08:31:09.203Z&quot; agent=&quot;Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36&quot; etag=&quot;XVDfSK-4cGTArrhbSWgJ&quot; version=&quot;21.7.5&quot; type=&quot;device&quot;&gt;&#10;  &lt;diagram id=&quot;2hnf8jw7X_gOYsP6dyEq&quot; name=&quot;Eventing-sliced&quot;&gt;&#10;    &lt;mxGraphModel dx=&quot;1024&quot; dy=&quot;566&quot; grid=&quot;1&quot; gridSize=&quot;10&quot; guides=&quot;1&quot; tooltips=&quot;1&quot; connect=&quot;1&quot; arrows=&quot;1&quot; fold=&quot;1&quot; page=&quot;1&quot; pageScale=&quot;1&quot; pageWidth=&quot;850&quot; pageHeight=&quot;1100&quot; math=&quot;0&quot; shadow=&quot;0&quot;&gt;&#10;      &lt;root&gt;&#10;        &lt;mxCell id=&quot;0&quot; /&gt;&#10;        &lt;mxCell id=&quot;1&quot; parent=&quot;0&quot; /&gt;&#10;        &lt;mxCell id=&quot;-VY4CKxOcDQ5oLjkxmvm-1&quot; value=&quot;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;🔒 (6)&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;tenant-2&amp;lt;br&amp;gt;*.tenant-2.svc.cluster.local&quot; style=&quot;rounded=0;whiteSpace=wrap;html=1;fillColor=none;dashed=1;strokeColor=#6C8EBF;&quot; vertex=&quot;1&quot; parent=&quot;1&quot;&gt;&#10;          &lt;mxGeometry x=&quot;470&quot; y=&quot;401&quot; width=&quot;150&quot; height=&quot;160&quot; as=&quot;geometry&quot; /&gt;&#10;        &lt;/mxCell&gt;&#10;        &lt;mxCell id=&quot;-VY4CKxOcDQ5oLjkxmvm-2&quot; value=&quot;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;🔒 (6)&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;tenant-1&amp;lt;br&amp;gt;&amp;amp;nbsp;*.tenant-1.svc.cluster.local&quot; style=&quot;rounded=0;whiteSpace=wrap;html=1;fillColor=none;dashed=1;strokeColor=#82B366;&quot; vertex=&quot;1&quot; parent=&quot;1&quot;&gt;&#10;          &lt;mxGeometry x=&quot;250&quot; y=&quot;401&quot; width=&quot;160&quot; height=&quot;160&quot; as=&quot;geometry&quot; /&gt;&#10;        &lt;/mxCell&gt;&#10;        &lt;mxCell id=&quot;-VY4CKxOcDQ5oLjkxmvm-3&quot; value=&quot;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;&amp;amp;nbsp; &amp;amp;nbsp; knative-eventing 🔒 (6)&quot; style=&quot;rounded=0;whiteSpace=wrap;html=1;fillColor=none;dashed=1;strokeColor=#d6b656;labelPosition=center;verticalLabelPosition=top;align=center;verticalAlign=bottom;&quot; vertex=&quot;1&quot; parent=&quot;1&quot;&gt;&#10;          &lt;mxGeometry x=&quot;250&quot; y=&quot;230&quot; width=&quot;370&quot; height=&quot;150&quot; as=&quot;geometry&quot; /&gt;&#10;        &lt;/mxCell&gt;&#10;        &lt;mxCell id=&quot;-VY4CKxOcDQ5oLjkxmvm-4&quot; value=&quot;Receiver&quot; style=&quot;rounded=0;whiteSpace=wrap;html=1;fillColor=#FFF2CC;strokeColor=#D6B656;verticalAlign=top;&quot; vertex=&quot;1&quot; parent=&quot;1&quot;&gt;&#10;          &lt;mxGeometry x=&quot;270&quot; y=&quot;250&quot; width=&quot;160&quot; height=&quot;100&quot; as=&quot;geometry&quot; /&gt;&#10;        &lt;/mxCell&gt;&#10;        &lt;mxCell id=&quot;-VY4CKxOcDQ5oLjkxmvm-5&quot; value=&quot;Sender&quot; style=&quot;rounded=0;whiteSpace=wrap;html=1;fillColor=#FFF2CC;strokeColor=#D6B656;verticalAlign=top;&quot; vertex=&quot;1&quot; parent=&quot;1&quot;&gt;&#10;          &lt;mxGeometry x=&quot;450&quot; y=&quot;250&quot; width=&quot;160&quot; height=&quot;100&quot; as=&quot;geometry&quot; /&gt;&#10;        &lt;/mxCell&gt;&#10;        &lt;mxCell id=&quot;-VY4CKxOcDQ5oLjkxmvm-6&quot; value=&quot;&quot; style=&quot;endArrow=classic;html=1;entryX=0.25;entryY=1;entryDx=0;entryDy=0;fillColor=#d5e8d4;strokeColor=#82b366;strokeWidth=2;exitX=0.25;exitY=0;exitDx=0;exitDy=0;rounded=0;&quot; edge=&quot;1&quot; parent=&quot;1&quot; source=&quot;-VY4CKxOcDQ5oLjkxmvm-2&quot; target=&quot;-VY4CKxOcDQ5oLjkxmvm-34&quot;&gt;&#10;          &lt;mxGeometry width=&quot;50&quot; height=&quot;50&quot; relative=&quot;1&quot; as=&quot;geometry&quot;&gt;&#10;            &lt;mxPoint x=&quot;300&quot; y=&quot;401&quot; as=&quot;sourcePoint&quot; /&gt;&#10;            &lt;mxPoint x=&quot;302.5&quot; y=&quot;350&quot; as=&quot;targetPoint&quot; /&gt;&#10;            &lt;Array as=&quot;points&quot; /&gt;&#10;          &lt;/mxGeometry&gt;&#10;        &lt;/mxCell&gt;&#10;        &lt;mxCell id=&quot;nxLarIpv9PMtFna3IW7v-5&quot; value=&quot;1)&quot; style=&quot;edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];&quot; vertex=&quot;1&quot; connectable=&quot;0&quot; parent=&quot;-VY4CKxOcDQ5oLjkxmvm-6&quot;&gt;&#10;          &lt;mxGeometry x=&quot;0.0068&quot; y=&quot;3&quot; relative=&quot;1&quot; as=&quot;geometry&quot;&gt;&#10;            &lt;mxPoint as=&quot;offset&quot; /&gt;&#10;          &lt;/mxGeometry&gt;&#10;        &lt;/mxCell&gt;&#10;        &lt;mxCell id=&quot;-VY4CKxOcDQ5oLjkxmvm-7&quot; value=&quot;&quot; style=&quot;endArrow=classic;html=1;rounded=0;fillColor=#d5e8d4;strokeColor=#82b366;strokeWidth=2;exitX=0.5;exitY=1;exitDx=0;exitDy=0;entryX=1;entryY=0;entryDx=0;entryDy=0;&quot; edge=&quot;1&quot; parent=&quot;1&quot; source=&quot;-VY4CKxOcDQ5oLjkxmvm-36&quot; target=&quot;-VY4CKxOcDQ5oLjkxmvm-2&quot;&gt;&#10;          &lt;mxGeometry width=&quot;50&quot; height=&quot;50&quot; relative=&quot;1&quot; as=&quot;geometry&quot;&gt;&#10;            &lt;mxPoint x=&quot;580&quot; y=&quot;310&quot; as=&quot;sourcePoint&quot; /&gt;&#10;            &lt;mxPoint x=&quot;550&quot; y=&quot;400&quot; as=&quot;targetPoint&quot; /&gt;&#10;          &lt;/mxGeometry&gt;&#10;        &lt;/mxCell&gt;&#10;        &lt;mxCell id=&quot;nxLarIpv9PMtFna3IW7v-6&quot; value=&quot;2)&quot; style=&quot;edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];&quot; vertex=&quot;1&quot; connectable=&quot;0&quot; parent=&quot;-VY4CKxOcDQ5oLjkxmvm-7&quot;&gt;&#10;          &lt;mxGeometry x=&quot;-0.1625&quot; y=&quot;-3&quot; relative=&quot;1&quot; as=&quot;geometry&quot;&gt;&#10;            &lt;mxPoint as=&quot;offset&quot; /&gt;&#10;          &lt;/mxGeometry&gt;&#10;        &lt;/mxCell&gt;&#10;        &lt;mxCell id=&quot;-VY4CKxOcDQ5oLjkxmvm-9&quot; value=&quot;&amp;lt;b&amp;gt;AuthorizationPolicy&amp;lt;br&amp;gt;&amp;lt;/b&amp;gt;from:&amp;lt;br&amp;gt;&amp;amp;nbsp; &amp;amp;nbsp;&amp;amp;nbsp;&amp;lt;font style=&amp;quot;font-size: 10px;&amp;quot;&amp;gt;&amp;lt;span style=&amp;quot;box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;&amp;quot; class=&amp;quot;token key atrule&amp;quot;&amp;gt;namespaces&amp;lt;/span&amp;gt;&amp;lt;span style=&amp;quot;box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;&amp;quot; class=&amp;quot;token punctuation&amp;quot;&amp;gt;:&amp;amp;nbsp;[&amp;quot;tenant-1&amp;quot;]&amp;lt;br&amp;gt;to:&amp;lt;br&amp;gt;&amp;amp;nbsp; hosts: [&amp;quot;*.tenant-1.svc.cluster.local&amp;quot;]&amp;lt;br&amp;gt;&amp;amp;nbsp; paths: [&amp;quot;/tenant-1/*&amp;quot;]&amp;lt;br&amp;gt;&amp;lt;/span&amp;gt;&amp;lt;/font&amp;gt;&quot; style=&quot;whiteSpace=wrap;html=1;shape=mxgraph.basic.document;fontSize=10;fillColor=#f8cecc;align=left;strokeColor=#b85450;&quot; vertex=&quot;1&quot; parent=&quot;1&quot;&gt;&#10;          &lt;mxGeometry x=&quot;100&quot; y=&quot;80&quot; width=&quot;170&quot; height=&quot;118&quot; as=&quot;geometry&quot; /&gt;&#10;        &lt;/mxCell&gt;&#10;        &lt;mxCell id=&quot;-VY4CKxOcDQ5oLjkxmvm-10&quot; value=&quot;&amp;lt;b&amp;gt;AuthorizationPolicy&amp;lt;br&amp;gt;&amp;lt;/b&amp;gt;from:&amp;lt;br&amp;gt;&amp;amp;nbsp; &amp;amp;nbsp;&amp;amp;nbsp;&amp;lt;font style=&amp;quot;font-size: 10px;&amp;quot;&amp;gt;&amp;lt;span style=&amp;quot;box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;&amp;quot; class=&amp;quot;token key atrule&amp;quot;&amp;gt;namespaces&amp;lt;/span&amp;gt;&amp;lt;span style=&amp;quot;box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;&amp;quot; class=&amp;quot;token punctuation&amp;quot;&amp;gt;:&amp;amp;nbsp;[&amp;quot;tenant-2&amp;quot;]&amp;lt;br&amp;gt;to:&amp;lt;br&amp;gt;&amp;amp;nbsp; hosts: [&amp;quot;*.tenant-2.svc.cluster.local&amp;quot;]&amp;lt;br&amp;gt;&amp;amp;nbsp; paths: [&amp;quot;/tenant-2/*&amp;quot;]&amp;lt;br&amp;gt;&amp;lt;/span&amp;gt;&amp;lt;/font&amp;gt;&quot; style=&quot;whiteSpace=wrap;html=1;shape=mxgraph.basic.document;fontSize=10;fillColor=#f8cecc;align=left;strokeColor=#b85450;&quot; vertex=&quot;1&quot; parent=&quot;1&quot;&gt;&#10;          &lt;mxGeometry x=&quot;292&quot; y=&quot;80&quot; width=&quot;170&quot; height=&quot;118&quot; as=&quot;geometry&quot; /&gt;&#10;        &lt;/mxCell&gt;&#10;        &lt;mxCell id=&quot;-VY4CKxOcDQ5oLjkxmvm-11&quot; value=&quot;&quot; style=&quot;endArrow=none;html=1;rounded=0;strokeWidth=1;fontFamily=Helvetica;fontSize=10;fontColor=#000000;entryX=0.5;entryY=1;entryDx=0;entryDy=0;entryPerimeter=0;exitX=0.25;exitY=0;exitDx=0;exitDy=0;&quot; edge=&quot;1&quot; parent=&quot;1&quot; source=&quot;-VY4CKxOcDQ5oLjkxmvm-4&quot; target=&quot;-VY4CKxOcDQ5oLjkxmvm-9&quot;&gt;&#10;          &lt;mxGeometry width=&quot;50&quot; height=&quot;50&quot; relative=&quot;1&quot; as=&quot;geometry&quot;&gt;&#10;            &lt;mxPoint x=&quot;492&quot; y=&quot;250&quot; as=&quot;sourcePoint&quot; /&gt;&#10;            &lt;mxPoint x=&quot;540&quot; y=&quot;218&quot; as=&quot;targetPoint&quot; /&gt;&#10;          &lt;/mxGeometry&gt;&#10;        &lt;/mxCell&gt;&#10;        &lt;mxCell id=&quot;-VY4CKxOcDQ5oLjkxmvm-12&quot; value=&quot;&quot; style=&quot;endArrow=none;html=1;rounded=0;strokeWidth=1;fontFamily=Helvetica;fontSize=10;fontColor=#000000;exitX=0.5;exitY=0;exitDx=0;exitDy=0;entryX=0.5;entryY=1;entryDx=0;entryDy=0;entryPerimeter=0;&quot; edge=&quot;1&quot; parent=&quot;1&quot; source=&quot;-VY4CKxOcDQ5oLjkxmvm-4&quot; target=&quot;-VY4CKxOcDQ5oLjkxmvm-10&quot;&gt;&#10;          &lt;mxGeometry width=&quot;50&quot; height=&quot;50&quot; relative=&quot;1&quot; as=&quot;geometry&quot;&gt;&#10;            &lt;mxPoint x=&quot;566&quot; y=&quot;249&quot; as=&quot;sourcePoint&quot; /&gt;&#10;            &lt;mxPoint x=&quot;420&quot; y=&quot;200&quot; as=&quot;targetPoint&quot; /&gt;&#10;          &lt;/mxGeometry&gt;&#10;        &lt;/mxCell&gt;&#10;        &lt;mxCell id=&quot;-VY4CKxOcDQ5oLjkxmvm-20&quot; value=&quot;4)&quot; style=&quot;endArrow=classic;html=1;rounded=0;fillColor=#dae8fc;strokeColor=#6C8EBF;strokeWidth=2;exitX=0.5;exitY=1;exitDx=0;exitDy=0;&quot; edge=&quot;1&quot; parent=&quot;1&quot; source=&quot;-VY4CKxOcDQ5oLjkxmvm-37&quot;&gt;&#10;          &lt;mxGeometry x=&quot;-0.2784&quot; y=&quot;9&quot; width=&quot;50&quot; height=&quot;50&quot; relative=&quot;1&quot; as=&quot;geometry&quot;&gt;&#10;            &lt;mxPoint x=&quot;470&quot; y=&quot;310&quot; as=&quot;sourcePoint&quot; /&gt;&#10;            &lt;mxPoint x=&quot;430&quot; y=&quot;420&quot; as=&quot;targetPoint&quot; /&gt;&#10;            &lt;mxPoint as=&quot;offset&quot; /&gt;&#10;          &lt;/mxGeometry&gt;&#10;        &lt;/mxCell&gt;&#10;        &lt;mxCell id=&quot;-VY4CKxOcDQ5oLjkxmvm-21&quot; value=&quot;&quot; style=&quot;verticalLabelPosition=bottom;verticalAlign=top;html=1;shape=mxgraph.basic.x;fillColor=#f8cecc;strokeColor=#b85450;rotation=0;&quot; vertex=&quot;1&quot; parent=&quot;1&quot;&gt;&#10;          &lt;mxGeometry x=&quot;411&quot; y=&quot;420&quot; width=&quot;14&quot; height=&quot;11&quot; as=&quot;geometry&quot; /&gt;&#10;        &lt;/mxCell&gt;&#10;        &lt;mxCell id=&quot;-VY4CKxOcDQ5oLjkxmvm-22&quot; value=&quot;&amp;lt;b&amp;gt;AuthorizationPolicy&amp;lt;br&amp;gt;&amp;lt;/b&amp;gt;from:&amp;lt;br&amp;gt;&amp;amp;nbsp; &amp;amp;nbsp;&amp;amp;nbsp;&amp;lt;font style=&amp;quot;font-size: 10px;&amp;quot;&amp;gt;&amp;lt;span style=&amp;quot;box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;&amp;quot; class=&amp;quot;token key atrule&amp;quot;&amp;gt;namespaces&amp;lt;/span&amp;gt;&amp;lt;span style=&amp;quot;box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;&amp;quot; class=&amp;quot;token punctuation&amp;quot;&amp;gt;:&amp;amp;nbsp;[&amp;quot;knative-eventing&amp;quot;]&amp;lt;br&amp;gt;when:&amp;lt;br&amp;gt;&amp;amp;nbsp; &amp;amp;nbsp; key:&amp;amp;nbsp;request.headers[Kn-Namespace]&amp;lt;br&amp;gt;&amp;amp;nbsp; &amp;amp;nbsp; values: [&amp;quot;tenant-2&amp;quot;]&amp;lt;br&amp;gt;&amp;lt;/span&amp;gt;&amp;lt;/font&amp;gt;&quot; style=&quot;whiteSpace=wrap;html=1;shape=mxgraph.basic.document;fontSize=10;fillColor=#f8cecc;align=left;strokeColor=#b85450;&quot; vertex=&quot;1&quot; parent=&quot;1&quot;&gt;&#10;          &lt;mxGeometry x=&quot;660&quot; y=&quot;392&quot; width=&quot;190&quot; height=&quot;118&quot; as=&quot;geometry&quot; /&gt;&#10;        &lt;/mxCell&gt;&#10;        &lt;mxCell id=&quot;-VY4CKxOcDQ5oLjkxmvm-23&quot; value=&quot;&quot; style=&quot;endArrow=none;html=1;rounded=0;strokeWidth=1;fontFamily=Helvetica;fontSize=10;fontColor=#000000;exitX=-0.014;exitY=0.46;exitDx=0;exitDy=0;exitPerimeter=0;entryX=1;entryY=0.25;entryDx=0;entryDy=0;&quot; edge=&quot;1&quot; parent=&quot;1&quot; source=&quot;-VY4CKxOcDQ5oLjkxmvm-22&quot; target=&quot;-VY4CKxOcDQ5oLjkxmvm-1&quot;&gt;&#10;          &lt;mxGeometry width=&quot;50&quot; height=&quot;50&quot; relative=&quot;1&quot; as=&quot;geometry&quot;&gt;&#10;            &lt;mxPoint x=&quot;370&quot; y=&quot;281&quot; as=&quot;sourcePoint&quot; /&gt;&#10;            &lt;mxPoint x=&quot;410&quot; y=&quot;239&quot; as=&quot;targetPoint&quot; /&gt;&#10;          &lt;/mxGeometry&gt;&#10;        &lt;/mxCell&gt;&#10;        &lt;mxCell id=&quot;-VY4CKxOcDQ5oLjkxmvm-24&quot; value=&quot;&amp;lt;b&amp;gt;AuthorizationPolicy&amp;lt;br&amp;gt;&amp;lt;/b&amp;gt;from:&amp;lt;br&amp;gt;&amp;amp;nbsp; &amp;amp;nbsp;&amp;amp;nbsp;&amp;lt;font style=&amp;quot;font-size: 10px;&amp;quot;&amp;gt;&amp;lt;span style=&amp;quot;box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;&amp;quot; class=&amp;quot;token key atrule&amp;quot;&amp;gt;namespaces&amp;lt;/span&amp;gt;&amp;lt;span style=&amp;quot;box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;&amp;quot; class=&amp;quot;token punctuation&amp;quot;&amp;gt;:&amp;amp;nbsp;[&amp;quot;knative-eventing&amp;quot;]&amp;lt;br&amp;gt;when:&amp;lt;br&amp;gt;&amp;amp;nbsp; &amp;amp;nbsp; key:&amp;amp;nbsp;request.headers[Kn-Namespace]&amp;lt;br&amp;gt;&amp;amp;nbsp; &amp;amp;nbsp; values: [&amp;quot;tenant-1&amp;quot;]&amp;lt;br&amp;gt;&amp;lt;/span&amp;gt;&amp;lt;/font&amp;gt;&quot; style=&quot;whiteSpace=wrap;html=1;shape=mxgraph.basic.document;fontSize=10;fillColor=#f8cecc;align=left;strokeColor=#b85450;&quot; vertex=&quot;1&quot; parent=&quot;1&quot;&gt;&#10;          &lt;mxGeometry x=&quot;20&quot; y=&quot;431&quot; width=&quot;190&quot; height=&quot;118&quot; as=&quot;geometry&quot; /&gt;&#10;        &lt;/mxCell&gt;&#10;        &lt;mxCell id=&quot;-VY4CKxOcDQ5oLjkxmvm-25&quot; value=&quot;&quot; style=&quot;endArrow=none;html=1;rounded=0;strokeWidth=1;fontFamily=Helvetica;fontSize=10;fontColor=#000000;exitX=1;exitY=0.5;exitDx=0;exitDy=0;exitPerimeter=0;entryX=0;entryY=0.5;entryDx=0;entryDy=0;&quot; edge=&quot;1&quot; parent=&quot;1&quot; source=&quot;-VY4CKxOcDQ5oLjkxmvm-24&quot; target=&quot;-VY4CKxOcDQ5oLjkxmvm-2&quot;&gt;&#10;          &lt;mxGeometry width=&quot;50&quot; height=&quot;50&quot; relative=&quot;1&quot; as=&quot;geometry&quot;&gt;&#10;            &lt;mxPoint x=&quot;667&quot; y=&quot;456&quot; as=&quot;sourcePoint&quot; /&gt;&#10;            &lt;mxPoint x=&quot;610&quot; y=&quot;451&quot; as=&quot;targetPoint&quot; /&gt;&#10;          &lt;/mxGeometry&gt;&#10;        &lt;/mxCell&gt;&#10;        &lt;mxCell id=&quot;-VY4CKxOcDQ5oLjkxmvm-26&quot; value=&quot;&quot; style=&quot;endArrow=classic;html=1;rounded=0;fillColor=#dae8fc;strokeColor=#6c8ebf;strokeWidth=2;exitX=1.022;exitY=0.332;exitDx=0;exitDy=0;exitPerimeter=0;startArrow=classic;startFill=1;&quot; edge=&quot;1&quot; parent=&quot;1&quot;&gt;&#10;          &lt;mxGeometry x=&quot;0.4286&quot; y=&quot;10&quot; width=&quot;50&quot; height=&quot;50&quot; relative=&quot;1&quot; as=&quot;geometry&quot;&gt;&#10;            &lt;mxPoint x=&quot;425&quot; y=&quot;452.57&quot; as=&quot;sourcePoint&quot; /&gt;&#10;            &lt;mxPoint x=&quot;457.48&quot; y=&quot;450.00319148936177&quot; as=&quot;targetPoint&quot; /&gt;&#10;            &lt;mxPoint as=&quot;offset&quot; /&gt;&#10;          &lt;/mxGeometry&gt;&#10;        &lt;/mxCell&gt;&#10;        &lt;mxCell id=&quot;-VY4CKxOcDQ5oLjkxmvm-27&quot; value=&quot;5)&quot; style=&quot;edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];&quot; vertex=&quot;1&quot; connectable=&quot;0&quot; parent=&quot;-VY4CKxOcDQ5oLjkxmvm-26&quot;&gt;&#10;          &lt;mxGeometry x=&quot;-0.1926&quot; y=&quot;-1&quot; relative=&quot;1&quot; as=&quot;geometry&quot;&gt;&#10;            &lt;mxPoint x=&quot;2&quot; y=&quot;17&quot; as=&quot;offset&quot; /&gt;&#10;          &lt;/mxGeometry&gt;&#10;        &lt;/mxCell&gt;&#10;        &lt;mxCell id=&quot;-VY4CKxOcDQ5oLjkxmvm-28&quot; value=&quot;&quot; style=&quot;verticalLabelPosition=bottom;verticalAlign=top;html=1;shape=mxgraph.basic.x;fillColor=#f8cecc;strokeColor=#b85450;rotation=0;&quot; vertex=&quot;1&quot; parent=&quot;1&quot;&gt;&#10;          &lt;mxGeometry x=&quot;456&quot; y=&quot;445.5&quot; width=&quot;14&quot; height=&quot;11&quot; as=&quot;geometry&quot; /&gt;&#10;        &lt;/mxCell&gt;&#10;        &lt;mxCell id=&quot;-VY4CKxOcDQ5oLjkxmvm-29&quot; value=&quot;&amp;lt;b&amp;gt;ksvc&amp;lt;/b&amp;gt;&quot; style=&quot;ellipse;whiteSpace=wrap;html=1;aspect=fixed;fillColor=#82B366;strokeColor=#000000;&quot; vertex=&quot;1&quot; parent=&quot;1&quot;&gt;&#10;          &lt;mxGeometry x=&quot;260&quot; y=&quot;421&quot; width=&quot;60&quot; height=&quot;60&quot; as=&quot;geometry&quot; /&gt;&#10;        &lt;/mxCell&gt;&#10;        &lt;mxCell id=&quot;-VY4CKxOcDQ5oLjkxmvm-30&quot; value=&quot;&amp;lt;b&amp;gt;svc&amp;lt;/b&amp;gt;&quot; style=&quot;ellipse;whiteSpace=wrap;html=1;aspect=fixed;fillColor=#82B366;strokeColor=#000000;&quot; vertex=&quot;1&quot; parent=&quot;1&quot;&gt;&#10;          &lt;mxGeometry x=&quot;335&quot; y=&quot;421&quot; width=&quot;60&quot; height=&quot;60&quot; as=&quot;geometry&quot; /&gt;&#10;        &lt;/mxCell&gt;&#10;        &lt;mxCell id=&quot;-VY4CKxOcDQ5oLjkxmvm-31&quot; value=&quot;&amp;lt;b&amp;gt;ksvc&amp;lt;/b&amp;gt;&quot; style=&quot;ellipse;whiteSpace=wrap;html=1;aspect=fixed;fillColor=#6C8EBF;strokeColor=#000000;&quot; vertex=&quot;1&quot; parent=&quot;1&quot;&gt;&#10;          &lt;mxGeometry x=&quot;480&quot; y=&quot;421&quot; width=&quot;60&quot; height=&quot;60&quot; as=&quot;geometry&quot; /&gt;&#10;        &lt;/mxCell&gt;&#10;        &lt;mxCell id=&quot;-VY4CKxOcDQ5oLjkxmvm-32&quot; value=&quot;&amp;lt;b&amp;gt;svc&amp;lt;/b&amp;gt;&quot; style=&quot;ellipse;whiteSpace=wrap;html=1;aspect=fixed;fillColor=#6C8EBF;strokeColor=#000000;&quot; vertex=&quot;1&quot; parent=&quot;1&quot;&gt;&#10;          &lt;mxGeometry x=&quot;550&quot; y=&quot;421&quot; width=&quot;60&quot; height=&quot;60&quot; as=&quot;geometry&quot; /&gt;&#10;        &lt;/mxCell&gt;&#10;        &lt;mxCell id=&quot;-VY4CKxOcDQ5oLjkxmvm-33&quot; value=&quot;&quot; style=&quot;rounded=0;whiteSpace=wrap;html=1;&quot; vertex=&quot;1&quot; parent=&quot;1&quot;&gt;&#10;          &lt;mxGeometry x=&quot;280&quot; y=&quot;290&quot; width=&quot;100&quot; height=&quot;60&quot; as=&quot;geometry&quot; /&gt;&#10;        &lt;/mxCell&gt;&#10;        &lt;mxCell id=&quot;-VY4CKxOcDQ5oLjkxmvm-34&quot; value=&quot;tenant-1&quot; style=&quot;rounded=0;whiteSpace=wrap;html=1;fillColor=#82B366;strokeColor=#000000;&quot; vertex=&quot;1&quot; parent=&quot;1&quot;&gt;&#10;          &lt;mxGeometry x=&quot;280&quot; y=&quot;290&quot; width=&quot;70&quot; height=&quot;60&quot; as=&quot;geometry&quot; /&gt;&#10;        &lt;/mxCell&gt;&#10;        &lt;mxCell id=&quot;-VY4CKxOcDQ5oLjkxmvm-35&quot; value=&quot;tenant-2&quot; style=&quot;rounded=0;whiteSpace=wrap;html=1;fillColor=#6C8EBF;&quot; vertex=&quot;1&quot; parent=&quot;1&quot;&gt;&#10;          &lt;mxGeometry x=&quot;350&quot; y=&quot;290&quot; width=&quot;70&quot; height=&quot;60&quot; as=&quot;geometry&quot; /&gt;&#10;        &lt;/mxCell&gt;&#10;        &lt;mxCell id=&quot;-VY4CKxOcDQ5oLjkxmvm-36&quot; value=&quot;tenant-1&quot; style=&quot;rounded=0;whiteSpace=wrap;html=1;fillColor=#82B366;strokeColor=#000000;&quot; vertex=&quot;1&quot; parent=&quot;1&quot;&gt;&#10;          &lt;mxGeometry x=&quot;460&quot; y=&quot;290&quot; width=&quot;70&quot; height=&quot;60&quot; as=&quot;geometry&quot; /&gt;&#10;        &lt;/mxCell&gt;&#10;        &lt;mxCell id=&quot;-VY4CKxOcDQ5oLjkxmvm-37&quot; value=&quot;tenant-2&quot; style=&quot;rounded=0;whiteSpace=wrap;html=1;fillColor=#6C8EBF;strokeColor=#000000;&quot; vertex=&quot;1&quot; parent=&quot;1&quot;&gt;&#10;          &lt;mxGeometry x=&quot;530&quot; y=&quot;290&quot; width=&quot;70&quot; height=&quot;60&quot; as=&quot;geometry&quot; /&gt;&#10;        &lt;/mxCell&gt;&#10;        &lt;mxCell id=&quot;-VY4CKxOcDQ5oLjkxmvm-38&quot; value=&quot;&quot; style=&quot;verticalLabelPosition=bottom;verticalAlign=top;html=1;shape=mxgraph.basic.x;fillColor=#f8cecc;strokeColor=#b85450;rotation=0;&quot; vertex=&quot;1&quot; parent=&quot;1&quot;&gt;&#10;          &lt;mxGeometry x=&quot;411&quot; y=&quot;445.5&quot; width=&quot;14&quot; height=&quot;11&quot; as=&quot;geometry&quot; /&gt;&#10;        &lt;/mxCell&gt;&#10;        &lt;mxCell id=&quot;nxLarIpv9PMtFna3IW7v-1&quot; value=&quot;3)&quot; style=&quot;endArrow=classic;html=1;fillColor=#dae8fc;strokeColor=#6C8EBF;strokeWidth=2;rounded=0;exitX=0.75;exitY=0;exitDx=0;exitDy=0;entryX=0.518;entryY=1.011;entryDx=0;entryDy=0;entryPerimeter=0;&quot; edge=&quot;1&quot; parent=&quot;1&quot; source=&quot;-VY4CKxOcDQ5oLjkxmvm-2&quot; target=&quot;nxLarIpv9PMtFna3IW7v-2&quot;&gt;&#10;          &lt;mxGeometry x=&quot;-0.0459&quot; y=&quot;-13&quot; width=&quot;50&quot; height=&quot;50&quot; relative=&quot;1&quot; as=&quot;geometry&quot;&gt;&#10;            &lt;mxPoint x=&quot;380&quot; y=&quot;411&quot; as=&quot;sourcePoint&quot; /&gt;&#10;            &lt;mxPoint x=&quot;320&quot; y=&quot;370&quot; as=&quot;targetPoint&quot; /&gt;&#10;            &lt;Array as=&quot;points&quot; /&gt;&#10;            &lt;mxPoint as=&quot;offset&quot; /&gt;&#10;          &lt;/mxGeometry&gt;&#10;        &lt;/mxCell&gt;&#10;        &lt;mxCell id=&quot;nxLarIpv9PMtFna3IW7v-2&quot; value=&quot;&quot; style=&quot;verticalLabelPosition=bottom;verticalAlign=top;html=1;shape=mxgraph.basic.x;fillColor=#f8cecc;strokeColor=#b85450;rotation=0;&quot; vertex=&quot;1&quot; parent=&quot;1&quot;&gt;&#10;          &lt;mxGeometry x=&quot;370&quot; y=&quot;350&quot; width=&quot;14&quot; height=&quot;11&quot; as=&quot;geometry&quot; /&gt;&#10;        &lt;/mxCell&gt;&#10;        &lt;mxCell id=&quot;W9SX9AfrAF1awf6IaYdS-1&quot; value=&quot;Sender sends &amp;quot;Kn-Namespace&amp;quot; header with the resource&amp;#39;s namespace as value, so that tenant&amp;#39;s proxies can allow or deny the requests&quot; style=&quot;rounded=0;whiteSpace=wrap;html=1;fontFamily=Helvetica;fontSize=10;fontColor=#333333;fillColor=#f5f5f5;strokeColor=#666666;&quot; vertex=&quot;1&quot; parent=&quot;1&quot;&gt;&#10;          &lt;mxGeometry x=&quot;680&quot; y=&quot;210&quot; width=&quot;160&quot; height=&quot;92&quot; as=&quot;geometry&quot; /&gt;&#10;        &lt;/mxCell&gt;&#10;        &lt;mxCell id=&quot;W9SX9AfrAF1awf6IaYdS-2&quot; value=&quot;&quot; style=&quot;endArrow=none;html=1;rounded=0;strokeWidth=1;fontFamily=Helvetica;fontSize=10;fontColor=#000000;exitX=0;exitY=0.5;exitDx=0;exitDy=0;&quot; edge=&quot;1&quot; parent=&quot;1&quot; source=&quot;W9SX9AfrAF1awf6IaYdS-1&quot; target=&quot;-VY4CKxOcDQ5oLjkxmvm-5&quot;&gt;&#10;          &lt;mxGeometry width=&quot;50&quot; height=&quot;50&quot; relative=&quot;1&quot; as=&quot;geometry&quot;&gt;&#10;            &lt;mxPoint x=&quot;190&quot; y=&quot;295&quot; as=&quot;sourcePoint&quot; /&gt;&#10;            &lt;mxPoint x=&quot;280&quot; y=&quot;285&quot; as=&quot;targetPoint&quot; /&gt;&#10;          &lt;/mxGeometry&gt;&#10;        &lt;/mxCell&gt;&#10;      &lt;/root&gt;&#10;    &lt;/mxGraphModel&gt;&#10;  &lt;/diagram&gt;&#10;&lt;/mxfile&gt;&#10;"><defs/><g><rect x="450" y="321" width="150" height="160" fill="none" stroke="#6c8ebf" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 148px; height: 1px; padding-top: 401px; margin-left: 451px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><br /><br /><br /><br /><br /><br />🔒 (6)<br /><br />tenant-2<br />*.tenant-2.svc.cluster.local</div></div></div></foreignObject><text x="525" y="405" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">🔒 (6)...</text></switch></g><rect x="230" y="321" width="160" height="160" fill="none" stroke="#82b366" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 401px; margin-left: 231px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><br /><br /><br /><br /><br /><br />🔒 (6)<br /><br />tenant-1<br /> *.tenant-1.svc.cluster.local</div></div></div></foreignObject><text x="310" y="405" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">🔒 (6)...</text></switch></g><rect x="230" y="150" width="370" height="150" fill="none" stroke="#d6b656" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-end; justify-content: unsafe center; width: 368px; height: 1px; padding-top: 147px; margin-left: 231px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><br /><br /><br /><br /><br /><br />    knative-eventing 🔒 (6)</div></div></div></foreignObject><text x="415" y="147" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">knative-eventing 🔒 (6)...</text></switch></g><rect x="250" y="170" width="160" height="100" fill="#fff2cc" stroke="#d6b656" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 177px; margin-left: 251px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Receiver</div></div></div></foreignObject><text x="330" y="189" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Receiver</text></switch></g><rect x="430" y="170" width="160" height="100" fill="#fff2cc" stroke="#d6b656" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 177px; margin-left: 431px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Sender</div></div></div></foreignObject><text x="510" y="189" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Sender</text></switch></g><path d="M 270 321 L 276.3 278.15" fill="none" stroke="#82b366" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 277.17 272.21 L 279.97 280.71 L 276.3 278.15 L 272.05 279.55 Z" fill="#82b366" stroke="#82b366" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 295px; margin-left: 271px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">1)</div></div></div></foreignObject><text x="271" y="299" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">1)</text></switch></g><path d="M 475 270 L 397.06 316.76" fill="none" stroke="#82b366" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 391.92 319.85 L 396.72 312.3 L 397.06 316.76 L 400.84 319.16 Z" fill="#82b366" stroke="#82b366" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 289px; margin-left: 438px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">2)</div></div></div></foreignObject><text x="438" y="292" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">2)</text></switch></g><path d="M 248.28 16.86 L 248.28 118 L 80 118 L 80 0 L 224.24 0 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><path d="M 224.24 0 C 226.2 3.94 222.98 8.01 215.66 10.84 L 248.28 17.22" fill="none" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe flex-start; width: 168px; height: 1px; padding-top: 59px; margin-left: 82px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: left;"><div style="display: inline-block; font-size: 10px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>AuthorizationPolicy<br /></b>from:<br />    <font style="font-size: 10px;"><span class="token key atrule" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;">namespaces</span><span class="token punctuation" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;">: ["tenant-1"]<br />to:<br />  hosts: ["*.tenant-1.svc.cluster.local"]<br />  paths: ["/tenant-1/*"]<br /></span></font></div></div></div></foreignObject><text x="82" y="62" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="10px">AuthorizationPolicy...</text></switch></g><path d="M 440.28 16.86 L 440.28 118 L 272 118 L 272 0 L 416.24 0 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><path d="M 416.24 0 C 418.2 3.94 414.98 8.01 407.66 10.84 L 440.28 17.22" fill="none" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe flex-start; width: 168px; height: 1px; padding-top: 59px; margin-left: 274px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: left;"><div style="display: inline-block; font-size: 10px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>AuthorizationPolicy<br /></b>from:<br />    <font style="font-size: 10px;"><span class="token key atrule" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;">namespaces</span><span class="token punctuation" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;">: ["tenant-2"]<br />to:<br />  hosts: ["*.tenant-2.svc.cluster.local"]<br />  paths: ["/tenant-2/*"]<br /></span></font></div></div></div></foreignObject><text x="274" y="62" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="10px">AuthorizationPolicy...</text></switch></g><path d="M 290 170 L 165 118" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 330 170 L 357 118" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 545 270 L 417.31 336.21" fill="none" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 411.99 338.97 L 417.25 331.74 L 417.31 336.21 L 420.93 338.84 Z" fill="#6c8ebf" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 303px; margin-left: 500px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">4)</div></div></div></foreignObject><text x="500" y="307" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">4)</text></switch></g><path d="M 391 340 L 395.08 340 L 398 343.26 L 400.92 340 L 405 340 L 400.04 345.5 L 405 351 L 400.92 351 L 398 347.74 L 395.08 351 L 391 351 L 395.67 345.5 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><path d="M 828.08 328.86 L 828.08 430 L 640 430 L 640 312 L 801.21 312 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><path d="M 801.21 312 C 803.4 315.94 799.8 320.01 791.62 322.84 L 828.08 329.22" fill="none" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe flex-start; width: 188px; height: 1px; padding-top: 371px; margin-left: 642px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: left;"><div style="display: inline-block; font-size: 10px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>AuthorizationPolicy<br /></b>from:<br />    <font style="font-size: 10px;"><span class="token key atrule" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;">namespaces</span><span class="token punctuation" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;">: ["knative-eventing"]<br />when:<br />    key: request.headers[Kn-Namespace]<br />    values: ["tenant-2"]<br /></span></font></div></div></div></foreignObject><text x="642" y="374" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="10px">AuthorizationPolicy...</text></switch></g><path d="M 637.34 366.28 L 600 361" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 188.08 367.86 L 188.08 469 L 0 469 L 0 351 L 161.21 351 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><path d="M 161.21 351 C 163.4 354.94 159.8 359.01 151.62 361.84 L 188.08 368.22" fill="none" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe flex-start; width: 188px; height: 1px; padding-top: 410px; margin-left: 2px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: left;"><div style="display: inline-block; font-size: 10px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>AuthorizationPolicy<br /></b>from:<br />    <font style="font-size: 10px;"><span class="token key atrule" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;">namespaces</span><span class="token punctuation" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; line-height: inherit; vertical-align: baseline;">: ["knative-eventing"]<br />when:<br />    key: request.headers[Kn-Namespace]<br />    values: ["tenant-1"]<br /></span></font></div></div></div></foreignObject><text x="2" y="413" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="10px">AuthorizationPolicy...</text></switch></g><path d="M 190 410 L 230 401" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 413.21 371.92 L 429.27 370.65" fill="none" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 407.23 372.39 L 414.89 367.78 L 413.21 371.92 L 415.52 375.75 Z" fill="#6c8ebf" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><path d="M 435.25 370.18 L 427.59 374.8 L 429.27 370.65 L 426.96 366.82 Z" fill="#6c8ebf" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 390px; margin-left: 420px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">5)</div></div></div></foreignObject><text x="420" y="393" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">5)</text></switch></g><path d="M 436 365.5 L 440.08 365.5 L 443 368.76 L 445.92 365.5 L 450 365.5 L 445.04 371 L 450 376.5 L 445.92 376.5 L 443 373.24 L 440.08 376.5 L 436 376.5 L 440.67 371 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><ellipse cx="270" cy="371" rx="30.000000000000004" ry="30.000000000000004" fill="#82b366" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 58px; height: 1px; padding-top: 371px; margin-left: 241px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>ksvc</b></div></div></div></foreignObject><text x="270" y="375" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">ksvc</text></switch></g><ellipse cx="345" cy="371" rx="30.000000000000004" ry="30.000000000000004" fill="#82b366" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 58px; height: 1px; padding-top: 371px; margin-left: 316px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>svc</b></div></div></div></foreignObject><text x="345" y="375" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">svc</text></switch></g><ellipse cx="490" cy="371" rx="30.000000000000004" ry="30.000000000000004" fill="#6c8ebf" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 58px; height: 1px; padding-top: 371px; margin-left: 461px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>ksvc</b></div></div></div></foreignObject><text x="490" y="375" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">ksvc</text></switch></g><ellipse cx="560" cy="371" rx="30.000000000000004" ry="30.000000000000004" fill="#6c8ebf" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 58px; height: 1px; padding-top: 371px; margin-left: 531px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>svc</b></div></div></div></foreignObject><text x="560" y="375" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">svc</text></switch></g><rect x="260" y="210" width="100" height="60" fill="rgb(255, 255, 255)" stroke="rgb(0, 0, 0)" pointer-events="all"/><rect x="260" y="210" width="70" height="60" fill="#82b366" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 68px; height: 1px; padding-top: 240px; margin-left: 261px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">tenant-1</div></div></div></foreignObject><text x="295" y="244" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">tenant-1</text></switch></g><rect x="330" y="210" width="70" height="60" fill="#6c8ebf" stroke="rgb(0, 0, 0)" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 68px; height: 1px; padding-top: 240px; margin-left: 331px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">tenant-2</div></div></div></foreignObject><text x="365" y="244" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">tenant-2</text></switch></g><rect x="440" y="210" width="70" height="60" fill="#82b366" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 68px; height: 1px; padding-top: 240px; margin-left: 441px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">tenant-1</div></div></div></foreignObject><text x="475" y="244" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">tenant-1</text></switch></g><rect x="510" y="210" width="70" height="60" fill="#6c8ebf" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 68px; height: 1px; padding-top: 240px; margin-left: 511px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">tenant-2</div></div></div></foreignObject><text x="545" y="244" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">tenant-2</text></switch></g><path d="M 391 365.5 L 395.08 365.5 L 398 368.76 L 400.92 365.5 L 405 365.5 L 400.04 371 L 405 376.5 L 400.92 376.5 L 398 373.24 L 395.08 376.5 L 391 376.5 L 395.67 371 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><path d="M 350 321 L 355.78 289.22" fill="none" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 356.85 283.32 L 359.36 291.91 L 355.78 289.22 L 351.49 290.48 Z" fill="#6c8ebf" stroke="#6c8ebf" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 304px; margin-left: 366px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">3)</div></div></div></foreignObject><text x="366" y="308" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">3)</text></switch></g><path d="M 350 270 L 354.08 270 L 357 273.26 L 359.92 270 L 364 270 L 359.04 275.5 L 364 281 L 359.92 281 L 357 277.74 L 354.08 281 L 350 281 L 354.67 275.5 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><rect x="660" y="130" width="160" height="92" fill="#f5f5f5" stroke="#666666" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 176px; margin-left: 661px;"><div data-drawio-colors="color: #333333; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 10px; font-family: Helvetica; color: rgb(51, 51, 51); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Sender sends "Kn-Namespace" header with the resource's namespace as value, so that tenant's proxies can allow or deny the requests</div></div></div></foreignObject><text x="740" y="179" fill="#333333" font-family="Helvetica" font-size="10px" text-anchor="middle">Sender sends "Kn-Namespace" head...</text></switch></g><path d="M 660 176 L 590 196.53" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/></g><switch><g requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"/><a transform="translate(0,-5)" xlink:href="https://www.drawio.com/doc/faq/svg-export-text-problems" target="_blank"><text text-anchor="middle" font-size="10px" x="50%" y="100%">Text is not SVG - cannot display</text></a></switch></svg>
\ No newline at end of file
diff --git a/modules/serverless/pages/service-mesh/common-service-mesh-network-isolation.adoc b/modules/serverless/pages/service-mesh/common-service-mesh-network-isolation.adoc
index 1d3d7a82..df8362ab 100644
--- a/modules/serverless/pages/service-mesh/common-service-mesh-network-isolation.adoc
+++ b/modules/serverless/pages/service-mesh/common-service-mesh-network-isolation.adoc
@@ -26,6 +26,13 @@ image::service-mesh/multi-tenancy-service-mesh-Serving.drawio.svg[]
 
 image::service-mesh/multi-tenancy-service-mesh-Eventing.drawio.svg[]
 
+. Workloads in tenant-1 project can send events to Eventing brokers, channels, and sinks endpoints in the tenant-1 project.
+. Eventing sources, triggers and subscriptions in project tenant-1 can send events to workloads in project tenant-1.
+. Workloads in tenant-1 project can _not_ send events to Eventing brokers, channels, and sinks endpoints in the tenant-2 project.
+. Eventing sources, triggers and subscriptions in project tenant-2 can _not_ send events to workloads in project tenant-1.
+. Workloads in project tenant-1 can not call workloads in project tenant-2 as well as workloads in project tenant-2 can not call workloads in project tenant-1.
+. 🔒 `AuthorizationPolicies` are applied in this project
+
 .Prerequisites
 
 * You have access to an {product-title} account with cluster administrator access.

From 7ccf02e64356620dd70c4397f757cb8b78d006c3 Mon Sep 17 00:00:00 2001
From: Reto Lehmann <retocode@icloud.com>
Date: Mon, 18 Sep 2023 10:54:35 +0200
Subject: [PATCH 20/20] add authorization policy symbol to tenant-2

---
 .../service-mesh/multi-tenancy-service-mesh-Serving.drawio.svg  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/serverless/assets/images/service-mesh/multi-tenancy-service-mesh-Serving.drawio.svg b/modules/serverless/assets/images/service-mesh/multi-tenancy-service-mesh-Serving.drawio.svg
index 8d977857..58821456 100644
--- a/modules/serverless/assets/images/service-mesh/multi-tenancy-service-mesh-Serving.drawio.svg
+++ b/modules/serverless/assets/images/service-mesh/multi-tenancy-service-mesh-Serving.drawio.svg
@@ -1,4 +1,4 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!-- Do not edit this file with editors other than diagrams.net -->
 <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
-<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="397px" height="271px" viewBox="-0.5 -0.5 397 271" content="&lt;mxfile host=&quot;drawio-plugin&quot; modified=&quot;2023-08-29T05:53:06.924Z&quot; agent=&quot;5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36&quot; etag=&quot;cfbwgYSIrnLQLHb-djBk&quot; version=&quot;20.5.3&quot; type=&quot;embed&quot;&gt;&lt;diagram id=&quot;SIUPIMZeMRZCnwsOkFFw&quot; name=&quot;Page-1&quot;&gt;7VvbbuM2EP2WPghIHmRQN0p6TLJXtAVSBGizj7RE20Rk0aXo2N6vLymRtkTJXtnxbbdJC6w0vIiaMzM8M5Qt72G6/MzQbPInTXFmuSBdWt4Hy3Ud6LqW/B+kKyUJYFRJxoykSrYRPJHvWAmBks5JiotGR05pxsmsKUxonuOEN2SIMbpodhvRrPnUGRrjluApQVlb+g9J+aSSRgHYyL9gMp7oJztAtUyR7qwExQSldFETeR8t74FRyqur6fIBZ1J7Wi/VuE9bWtcLYzjnvQaodbyibK5eznJhJsbeD5m4Gsurc0o4zlHObfEiEE1nQpAPi1nZE1ifgBV/smLfiuWSb/xbpUO+0sAwOs9TLN8NiDGLCeH4aYYS2boQtihkEz7NxJ0jLkckyx5oRpm4z2kuOt2nqJiUw2V7wRl9wbqH5XqRO/QgLBdjalkp/hUzjpc1kdL6Z0ynmLOV6KJa7UCrfqUF2kgWG5NyoJJN6uakjQcpMx6vZ98gLS4U2FuAd64TePfMmMIkwsPRkTANwUUxjS8Nactj26KXHHHyiu0Cs1eSj6/RzWH5J0fSnNfk1d+p3B8GfU3FOYKpRBc1FVJwQu1iVXA8/RXBbcWB84LrtcD9KhUuRF/zMcNFUbmmAcpnxPECrY6Hh9DqKJD/XQwHGJk4eB04uB04wCPA4LdguEtE7EOcsi4nkbGvxOmR0eUvBYMfBReEAW4PdVr5vz/9/aCFYrrhBpQGIqAC6a85nuNukMSTRQ6CfwwQKmZVYjIiSwmqiViKcDRKTk5YIDQcxI/byEQdwERHACbcD5j2hlKH6lI4BThK/ZMnC354QZycLg8yFZqndzKxFndJhoqCJE09NqOXGZ6iBCedxj6MAj8A6xadbDu71IrTRvK+ValgAGLgNtQat3QadOhUyxjOSi7beHqXotUSHikRS61RQHN3Eq868J148webcxZ0zhKspqkn9ebMfuS0Zm5OxREbY75jKt2RjkYFbvQpzWWtzn4huJ2Z3DhtWi+R+wMNcWb4YEbGuTQsgTQWhnEvHYckKLtTDVOSpnKOe8FtyHc0LOeTVjOTL1O+SHBvBR+6rUZbt+mN6/KRmtCqV2i6DcrxA9hQvPM2SzkqCE4X5z+mG2NHRMOwy41jGHoIdrqxwIGtnsWNLfwR+FryTT5i4EXrLh+W6qHV3ap+94gZEYqQtlEKt4aGyoEatKByhAZh6xtAxIqdwG0CbsPzhpDYDCFmwO8dMwLfrF2YJYnzxgz99Csz1yXhz7Xryk7dQN1urFTeNIz0uX5TH7bDunsZsne4IZ/LSgMzDQPBoTtbaKYS5lRbrPQACwzbebRmnmIWJDeICWKFUjr8dy6L9vdzPrKjza3JWYsZyhtGrDsmlf3dSX2PhzdCY2KBQP9zW2UjMkuzR2hKslXV9QvOXrHcDGvtRXleIlsdZ7asN1QPlS05ZVOU1dpeESOy/iq2VMTnTJ6u7OyXoNm2LgtlQrLRB5UdgwxzEaBt8fqJLPu1RlI2m6BcTelWMrEfc1vt/lK8JgC6jQjvztWTgH7VsoUzMdlIzK+fVJaGKpMvj39qj1lQljYXtp5LvMvwhYjp5JxVNLCV0zT6DVHyMi6jjW3g6AZBBWH94ra20hQnlAn3ornNJyR5yWV9phxOcsKJ1o/Zt4blzn615TT6jTKKuKmclBSzDK1094yIBhf8RqYzyjjKlR0bln3j3dYSssq+tc1fA8FbbyRHIHgg1OHmKihdR4mppXOty1Lvj7Qg0ixE05ByTqcdyubUyIGLCZrJyabLsTzPHQyR2GgHy4PyOEY5UgvYucHtVV3yDQ4UBIOgRcMcv73BOTtw65sdu8HPw1N60pQ16f7WYCVv4Ch+m6OE+5Ft4XtRGDWAds5LtU0Ss+bebycxraneQLWFocki/rqHCpHbX8wziT8EYPf6WyN07rBxmWoVBzOvrrj2zrzemdc78/qpmJfeGo/AvFwQNmu19jXV1ryuTy/+b0TMgwYRg6BdDTsVDfNPXd3scSLXl4aFu3lYL0bl7UufAhh7ZyVMPowHps8GQTyI/UNpEzRm86P4aLTpAKf3f2ant72g09TWfrRHAgaNGnjX4eSp/D5sl4lv3Cs5Wtqqy0OOloyTpava/rRjviX4HlwkP2a6DKz+6XJzt+gVtDvOnPaO474TGGGw42OaU8b19jcj5uFy74je/j4L9EuE905yQ3fLoreurTUCOoHhJrUk90SOFbYdqyT91xDd1k5/hOjmAaO2415TdDtChW9bdAv3jG5vYqHv0a1HdPOigRv5bui4figYp/khDTSavUNDn/lFV9+DzP1Dn/mluQ9/FPpaP02JLhD6tv9A5b0G+F4DtN5rgFUN0L3uGiA8Yg0QeGGzwnTBHEjcbn6lWXXf/NjV+/gf&lt;/diagram&gt;&lt;/mxfile&gt;"><defs/><g><rect x="218" y="150" width="160" height="120" fill="none" stroke="#82b366" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 210px; margin-left: 219px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><br /><br /><br /><br /><br /><br /><br />tenant-1  🔒 (4)</div></div></div></foreignObject><text x="298" y="214" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">tenant-1  🔒 (4)...</text></switch></g><rect x="28" y="150" width="160" height="120" fill="none" stroke="#6c8ebf" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 210px; margin-left: 29px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><br /><br /><br /><br /><br /><br /><br />tenant-2</div></div></div></foreignObject><text x="108" y="214" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">tenant-2...</text></switch></g><rect x="218" y="0" width="160" height="110" fill="none" stroke="#666666" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 55px; margin-left: 219px;"><div data-drawio-colors="color: #333333; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(51, 51, 51); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><br /><br /><br /><br /><br /><br />    knative-serving  🔒 (4)</div></div></div></foreignObject><text x="298" y="59" fill="#333333" font-family="Helvetica" font-size="12px" text-anchor="middle">knative-serving  🔒 (4)...</text></switch></g><rect x="28" y="0" width="160" height="110" fill="none" stroke="#666666" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 55px; margin-left: 29px;"><div data-drawio-colors="color: #333333; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(51, 51, 51); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><br /><br /><br /><br /><br /><br />istio-system</div></div></div></foreignObject><text x="108" y="59" fill="#333333" font-family="Helvetica" font-size="12px" text-anchor="middle">istio-system...</text></switch></g><rect x="48" y="20" width="120" height="60" fill="#f5f5f5" stroke="#666666" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 118px; height: 1px; padding-top: 50px; margin-left: 49px;"><div data-drawio-colors="color: #333333; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(51, 51, 51); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Istio Ingress <br />Gateway</div></div></div></foreignObject><text x="108" y="54" fill="#333333" font-family="Helvetica" font-size="12px" text-anchor="middle">Istio Ingress...</text></switch></g><rect x="243" y="20" width="120" height="60" fill="#f5f5f5" stroke="#666666" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 118px; height: 1px; padding-top: 50px; margin-left: 244px;"><div data-drawio-colors="color: #333333; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(51, 51, 51); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Activator<br />+ IstioProxy</div></div></div></foreignObject><text x="303" y="54" fill="#333333" font-family="Helvetica" font-size="12px" text-anchor="middle">Activator...</text></switch></g><ellipse cx="108" cy="200" rx="40" ry="40" fill="#dae8fc" stroke="#6c8ebf" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 78px; height: 1px; padding-top: 200px; margin-left: 69px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>KSVC</b> IstioProxy + QueueProxy</div></div></div></foreignObject><text x="108" y="204" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">KSVC IstioPro...</text></switch></g><ellipse cx="298" cy="200" rx="40" ry="40" fill="#d5e8d4" stroke="#82b366" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 78px; height: 1px; padding-top: 200px; margin-left: 259px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>KSVC<br /></b>IstioProxy + QueueProxy</div></div></div></foreignObject><text x="298" y="204" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">KSVC...</text></switch></g><path d="M 148 199.58 L 240.63 199.97" fill="none" stroke="#b85450" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 245.88 200 L 238.87 203.47 L 240.63 199.97 L 238.9 196.47 Z" fill="#b85450" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 199px; margin-left: 205px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">(1)</div></div></div></foreignObject><text x="205" y="202" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">(1)</text></switch></g><path d="M 134.03 169.63 L 238.38 47.7" fill="none" stroke="#9673a6" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 241.79 43.71 L 239.9 51.3 L 238.38 47.7 L 234.58 46.75 Z" fill="#9673a6" stroke="#9673a6" stroke-miterlimit="10" pointer-events="all"/><path d="M 168 35 L 236.63 35" fill="none" stroke="#9673a6" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 241.88 35 L 234.88 38.5 L 236.63 35 L 234.88 31.5 Z" fill="#9673a6" stroke="#9673a6" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 35px; margin-left: 208px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;"><span style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 11px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: center; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; float: none; display: inline !important;">(3)</span></div></div></div></foreignObject><text x="208" y="39" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">(3)</text></switch></g><path d="M 244 194.5 L 248.08 194.5 L 251 197.76 L 253.92 194.5 L 258 194.5 L 253.04 200 L 258 205.5 L 253.92 205.5 L 251 202.24 L 248.08 205.5 L 244 205.5 L 248.67 200 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><path d="M 363 50 L 388 50 L 388 110 L 330.79 167.21" fill="none" stroke="#9673a6" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 327.07 170.93 L 329.55 163.5 L 330.79 167.21 L 334.5 168.45 Z" fill="#9673a6" stroke="#9673a6" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 123px; margin-left: 374px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;"><span style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 11px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: center; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; float: none; display: inline !important;">(3)</span></div></div></div></foreignObject><text x="374" y="126" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">(3)</text></switch></g><path d="M 364 44 L 368.08 44 L 371 47.26 L 373.92 44 L 378 44 L 373.04 49.5 L 378 55 L 373.92 55 L 371 51.74 L 368.08 55 L 364 55 L 368.67 49.5 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><path d="M 168 65 L 261.45 156.54" fill="none" stroke="#6c8ebf" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 265.2 160.22 L 257.75 157.82 L 261.45 156.54 L 262.65 152.82 Z" fill="#6c8ebf" stroke="#6c8ebf" stroke-miterlimit="10" pointer-events="all"/><path d="M 262 160 L 266.08 160 L 269 163.26 L 271.92 160 L 276 160 L 271.04 165.5 L 276 171 L 271.92 171 L 269 167.74 L 266.08 171 L 262 171 L 266.67 165.5 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" transform="rotate(-35,269,165.5)" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 121px; margin-left: 224px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">(2)</div></div></div></foreignObject><text x="224" y="125" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">(2)</text></switch></g><path d="M 68 200 L 8 200 L 8 35 L 41.63 35" fill="none" stroke="#9673a6" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 46.88 35 L 39.88 38.5 L 41.63 35 L 39.88 31.5 Z" fill="#9673a6" stroke="#9673a6" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 87px; margin-left: 6px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">(3)</div></div></div></foreignObject><text x="6" y="90" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">(3)</text></switch></g><path d="M 68 200 L 18 190 L 18 65 L 41.63 65" fill="none" stroke="#6c8ebf" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 46.88 65 L 39.88 68.5 L 41.63 65 L 39.88 61.5 Z" fill="#6c8ebf" stroke="#6c8ebf" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 134px; margin-left: 17px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;"><span style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 11px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: center; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; float: none; display: inline !important;">(2)</span></div></div></div></foreignObject><text x="17" y="138" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">(2)</text></switch></g></g><switch><g requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"/><a transform="translate(0,-5)" xlink:href="https://www.diagrams.net/doc/faq/svg-export-text-problems" target="_blank"><text text-anchor="middle" font-size="10px" x="50%" y="100%">Text is not SVG - cannot display</text></a></switch></svg>
\ No newline at end of file
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="397px" height="271px" viewBox="-0.5 -0.5 397 271" content="&lt;mxfile host=&quot;drawio-plugin&quot; modified=&quot;2023-09-18T08:53:54.199Z&quot; agent=&quot;5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36&quot; etag=&quot;A9Qqve1jsv8ZkComIH1L&quot; version=&quot;20.5.3&quot; type=&quot;embed&quot;&gt;&lt;diagram id=&quot;SIUPIMZeMRZCnwsOkFFw&quot; name=&quot;Page-1&quot;&gt;7VtLc6M4EP4te6AqOeASLwHHJPOs3a3K1lTtzhxlkG1VMGKFHNvz61cCyQaBPdixY89sMoeB1gPRX3fr6xa2vIf56iNDxexPmuLMckG6srx3lus6nh+K/6RkrSR+CGvJlJFUybaCL+Q7VkKgpAuS4rLVkVOacVK0hQnNc5zwlgwxRpftbhOatZ9aoCnuCL4kKOtK/yEpn9XSKABb+SdMpjP9ZAeoljnSnZWgnKGULhsi773lPTBKeX01Xz3gTGpP66Ue92FH62ZhDOd80AC1jmeULdTLWS7MxNj7MRNXU3n1mhKOc5RzW7wIRPNCCPJxWVQ9gfUBWPEHK/atWC75xr9VOuRrDQyjizzF8t2AGLOcEY6/FCiRrUthi0I24/NM3DnickKy7IFmlIn7nOai032Kylk1XLaXnNEnrHtYrhe5Yw/CajGmlpXinzHjeNUQKa1/xHSOOVuLLqrVDrTq11qgjWS5NSkHKtmsaU7aeJAy4+lm9i3S4kKBvQN45zqBd68ReJhEeDw5EfAhuCjw8aVx76DbFT3liJNnbJeYPZN8epUmUf3JkTTnDXn9d64YAYOhpuKcwFSii5oKKTmhdrkuOZ7/iuB24sDrgut1wP0sFS5En/Mpw2VZu6YBykfE8RKtT4eH0OokkP8uhgOMTBy8HhzcHhzgCWDwOzDcJSL2IU5Zn5PI2Ffh9Mjo6peCwY+CC8IAd4c6rfzfv/z9oIViuvEWlBYioAbprwVe4H6QxJNFooJ/DBAqizp7mZCVBNVELEU4miRnJywQGg7ix11koh5gohMAEx4GTHdDaUJ1KZwCHKX+2TMKP7wgTk6fB5kKzdM7mX2LuyRDZUmSth7b0csMT1GCk15jH0eBH4BNi87InX1qxWkrw9+pVDACMXBbao07Og16dKplDGcVl209vU/RagmPlIilNiiguTuJVx35Trz9g+05S7pgCVbTNDN/c2Y/cjozt6fiiE0x3zOV7kgnkxK3+lTmslHnsBDczUxunC6tl8j9gcY4M3wwI9NcGpZAGgvDuJeOQxKU3amGOUlTOce94DbkOxpX80mrKeTLVC8S3FvBu36r0dZteuOmxqQmtJplnH6DcvwAthTvvMxSTgqC08f5T+nG2BHRMOxz4xiGHoK9bixwYOuv4sYW/gh8LfkmHzHyok2Xdyv10Ppu3bx7xIwIRUjbqIQ7Q0PtQC1aUDtCi7ANDSBixU7gtgG34euGkNgMIWbAHxwzAt+sXZglideNGfrpV2auK8K/Nq5rO3UDdbu1UnnTMtKvzZvmsD3WPciQveMN+bWsNDDTMBAcu7OFZiphTrXDSo+wwLCbR2vmKWZBcoOYIVYqpcN/F7Kyf7/gEzva3pqctSxQ3jJi3TGp7e9O6ns6vhEaEwsE+r/bOhuRWZo9QXOSreuun3D2jOVm2Ggvq0MV2eo4xarZUD9UtuSUzVHWaHtGjMgirdhSEV8weQSzt1+Cil1dlsqEZKMPajsGGeYiQNvi9RNZ9uuMpKyYoVxN6dYysR9zW+3+UrwhALqNCO/O1ZOAftWqhTMx2UTMr59UlYZqk6/OiBqPWVKWthe2mUu8y/iJiOnknHU0sJXTtPqNUfI0raKNbeDoBkENYfPitrHSFCeUCfeiuc1nJHnKZX2mGk5ywonWj9m3geXefo3ltPpNMoq4qZyUlEWG1rp7RkSDC34j84IyjnJlx4Zl33i3jYSstm9t89dA8DYbyQkIHgh1uLkKStdTYuroXOuy0vsjLYk0C9E0ppzTeY+yOTVy4HKGCjnZfDWVh76jMRIb7Wh1VB7HKEdqAXs3uIOqS77BgYJgFHRomON3NzhnD25Ds2M3+Hl4ykCasiHd31qs5AUcxe9ylPAwsi18LwqjFtDO61Jtk8RsuPfLSUxnqhdQbWFosoi/6aFC5O4X80ziDwHYv/7OCJ07bF2mXsXRzKsvrr0xrzfm9ca8firmpbfGEzAvF4TtWq19TbU1r+/Ti/8bEfOgQcQg6FbDzkXD/HNXNwecyA2lYeF+HjaIUXmH0qcAxt6rEiYfxiPTZ4MgHsX+sbQJGrP5UXwy2nSE0/s/s9PbXtBrahs/OiABg0YNvO9w8lx+H3bLxDfulRwt7dTlMUdLxsnSVW1/2jFfEnyPLpKfMl0G1vB0ub1bDAraPWdOB8dx3wmMMNjzMc0543r3mxHzcHlwRO9+nwWGJcIHJ7mhu2PRO9fWGQGdwHCTRpJ7JscKu45Vkf5riG4bpz9BdPOAUdtxrym6naDCtyu6hQdGtxex0LfoNiC6edHIjXw3dFw/FIzT/JAGGs3esaHP/KJr6EHm4aHP/NLchz8KfZ3fr0QXCH27f8XyVgN8qwFabzXAugboXncNEJ6wBgi8sF1humAOJG63P+Wsu29/Eeu9/w8=&lt;/diagram&gt;&lt;/mxfile&gt;"><defs/><g><rect x="218" y="150" width="160" height="120" fill="none" stroke="#82b366" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 210px; margin-left: 219px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><br /><br /><br /><br /><br /><br /><br />tenant-1  🔒 (4)</div></div></div></foreignObject><text x="298" y="214" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">tenant-1  🔒 (4)...</text></switch></g><rect x="28" y="150" width="160" height="120" fill="none" stroke="#6c8ebf" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 210px; margin-left: 29px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><br /><br /><br /><br /><br /><br /><br />tenant-2  🔒 (4)</div></div></div></foreignObject><text x="108" y="214" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">tenant-2  🔒 (4)...</text></switch></g><rect x="218" y="0" width="160" height="110" fill="none" stroke="#666666" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 55px; margin-left: 219px;"><div data-drawio-colors="color: #333333; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(51, 51, 51); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><br /><br /><br /><br /><br /><br />    knative-serving  🔒 (4)</div></div></div></foreignObject><text x="298" y="59" fill="#333333" font-family="Helvetica" font-size="12px" text-anchor="middle">knative-serving  🔒 (4)...</text></switch></g><rect x="28" y="0" width="160" height="110" fill="none" stroke="#666666" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 55px; margin-left: 29px;"><div data-drawio-colors="color: #333333; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(51, 51, 51); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><br /><br /><br /><br /><br /><br />istio-system</div></div></div></foreignObject><text x="108" y="59" fill="#333333" font-family="Helvetica" font-size="12px" text-anchor="middle">istio-system...</text></switch></g><rect x="48" y="20" width="120" height="60" fill="#f5f5f5" stroke="#666666" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 118px; height: 1px; padding-top: 50px; margin-left: 49px;"><div data-drawio-colors="color: #333333; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(51, 51, 51); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Istio Ingress <br />Gateway</div></div></div></foreignObject><text x="108" y="54" fill="#333333" font-family="Helvetica" font-size="12px" text-anchor="middle">Istio Ingress...</text></switch></g><rect x="243" y="20" width="120" height="60" fill="#f5f5f5" stroke="#666666" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 118px; height: 1px; padding-top: 50px; margin-left: 244px;"><div data-drawio-colors="color: #333333; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(51, 51, 51); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Activator<br />+ IstioProxy</div></div></div></foreignObject><text x="303" y="54" fill="#333333" font-family="Helvetica" font-size="12px" text-anchor="middle">Activator...</text></switch></g><ellipse cx="108" cy="200" rx="40" ry="40" fill="#dae8fc" stroke="#6c8ebf" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 78px; height: 1px; padding-top: 200px; margin-left: 69px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>KSVC</b> IstioProxy + QueueProxy</div></div></div></foreignObject><text x="108" y="204" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">KSVC IstioPro...</text></switch></g><ellipse cx="298" cy="200" rx="40" ry="40" fill="#d5e8d4" stroke="#82b366" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 78px; height: 1px; padding-top: 200px; margin-left: 259px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b>KSVC<br /></b>IstioProxy + QueueProxy</div></div></div></foreignObject><text x="298" y="204" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">KSVC...</text></switch></g><path d="M 148 199.58 L 240.63 199.97" fill="none" stroke="#b85450" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 245.88 200 L 238.87 203.47 L 240.63 199.97 L 238.9 196.47 Z" fill="#b85450" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 199px; margin-left: 205px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">(1)</div></div></div></foreignObject><text x="205" y="202" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">(1)</text></switch></g><path d="M 134.01 169.61 L 238.38 47.7" fill="none" stroke="#9673a6" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 241.79 43.71 L 239.9 51.3 L 238.38 47.7 L 234.58 46.75 Z" fill="#9673a6" stroke="#9673a6" stroke-miterlimit="10" pointer-events="all"/><path d="M 168 35 L 236.63 35" fill="none" stroke="#9673a6" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 241.88 35 L 234.88 38.5 L 236.63 35 L 234.88 31.5 Z" fill="#9673a6" stroke="#9673a6" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 35px; margin-left: 208px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;"><span style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 11px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: center; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; float: none; display: inline !important;">(3)</span></div></div></div></foreignObject><text x="208" y="38" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">(3)</text></switch></g><path d="M 244 194.5 L 248.08 194.5 L 251 197.76 L 253.92 194.5 L 258 194.5 L 253.04 200 L 258 205.5 L 253.92 205.5 L 251 202.24 L 248.08 205.5 L 244 205.5 L 248.67 200 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><path d="M 363 50 L 388 50 L 388 110 L 330.79 167.21" fill="none" stroke="#9673a6" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 327.07 170.93 L 329.55 163.5 L 330.79 167.21 L 334.5 168.45 Z" fill="#9673a6" stroke="#9673a6" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 123px; margin-left: 374px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;"><span style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 11px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: center; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; float: none; display: inline !important;">(3)</span></div></div></div></foreignObject><text x="374" y="126" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">(3)</text></switch></g><path d="M 364 44 L 368.08 44 L 371 47.26 L 373.92 44 L 378 44 L 373.04 49.5 L 378 55 L 373.92 55 L 371 51.74 L 368.08 55 L 364 55 L 368.67 49.5 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="all"/><path d="M 168 65 L 261.45 156.54" fill="none" stroke="#6c8ebf" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 265.2 160.22 L 257.75 157.82 L 261.45 156.54 L 262.65 152.82 Z" fill="#6c8ebf" stroke="#6c8ebf" stroke-miterlimit="10" pointer-events="all"/><path d="M 262 160 L 266.08 160 L 269 163.26 L 271.92 160 L 276 160 L 271.04 165.5 L 276 171 L 271.92 171 L 269 167.74 L 266.08 171 L 262 171 L 266.67 165.5 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" transform="rotate(-35,269,165.5)" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 121px; margin-left: 224px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">(2)</div></div></div></foreignObject><text x="224" y="125" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">(2)</text></switch></g><path d="M 68 200 L 8 200 L 8 35 L 41.63 35" fill="none" stroke="#9673a6" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 46.88 35 L 39.88 38.5 L 41.63 35 L 39.88 31.5 Z" fill="#9673a6" stroke="#9673a6" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 87px; margin-left: 6px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">(3)</div></div></div></foreignObject><text x="6" y="90" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">(3)</text></switch></g><path d="M 68 200 L 18 190 L 18 65 L 41.63 65" fill="none" stroke="#6c8ebf" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 46.88 65 L 39.88 68.5 L 41.63 65 L 39.88 61.5 Z" fill="#6c8ebf" stroke="#6c8ebf" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 134px; margin-left: 17px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;"><span style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 11px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: center; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; float: none; display: inline !important;">(2)</span></div></div></div></foreignObject><text x="17" y="137" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">(2)</text></switch></g></g><switch><g requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"/><a transform="translate(0,-5)" xlink:href="https://www.diagrams.net/doc/faq/svg-export-text-problems" target="_blank"><text text-anchor="middle" font-size="10px" x="50%" y="100%">Text is not SVG - cannot display</text></a></switch></svg>
\ No newline at end of file