rbacv3

package
v1.36.3-20230616201200... Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: unknown License: Apache-2.0 Imports: 11 Imported by: 0

Documentation

Index

Constants

View Source 
const Permission_AndRules_case case_Permission_Rule = 1
View Source 
const Permission_Any_case case_Permission_Rule = 3
View Source 
const Permission_DestinationIp_case case_Permission_Rule = 5
View Source 
const Permission_DestinationPortRange_case case_Permission_Rule = 11
View Source 
const Permission_DestinationPort_case case_Permission_Rule = 6
View Source 
const Permission_Header_case case_Permission_Rule = 4
View Source 
const Permission_Matcher_case case_Permission_Rule = 12
View Source 
const Permission_Metadata_case case_Permission_Rule = 7
View Source 
const Permission_NotRule_case case_Permission_Rule = 8
View Source 
const Permission_OrRules_case case_Permission_Rule = 2
View Source 
const Permission_RequestedServerName_case case_Permission_Rule = 9
View Source 
const Permission_Rule_not_set_case case_Permission_Rule = 0
View Source 
const Permission_UrlPath_case case_Permission_Rule = 10
View Source 
const Principal_AndIds_case case_Principal_Identifier = 1
View Source 
const Principal_Any_case case_Principal_Identifier = 3
View Source 
const Principal_Authenticated_case case_Principal_Identifier = 4
View Source 
const Principal_DirectRemoteIp_case case_Principal_Identifier = 10
View Source 
const Principal_FilterState_case case_Principal_Identifier = 12
View Source 
const Principal_Header_case case_Principal_Identifier = 6
View Source 
const Principal_Identifier_not_set_case case_Principal_Identifier = 0
View Source 
const Principal_Metadata_case case_Principal_Identifier = 7
View Source 
const Principal_NotId_case case_Principal_Identifier = 8
View Source 
const Principal_OrIds_case case_Principal_Identifier = 2
View Source 
const Principal_RemoteIp_case case_Principal_Identifier = 11
View Source 
const Principal_SourceIp_case case_Principal_Identifier = 5
View Source 
const Principal_UrlPath_case case_Principal_Identifier = 9

Variables

View Source 
var (
	RBAC_Action_name = map[int32]string{
		0: "ALLOW",
		1: "DENY",
		2: "LOG",
	}
	RBAC_Action_value = map[string]int32{
		"ALLOW": 0,
		"DENY":  1,
		"LOG":   2,
	}
)

Enum value maps for RBAC_Action.

View Source 
var (
	RBAC_AuditLoggingOptions_AuditCondition_name = map[int32]string{
		0: "NONE",
		1: "ON_DENY",
		2: "ON_ALLOW",
		3: "ON_DENY_AND_ALLOW",
	}
	RBAC_AuditLoggingOptions_AuditCondition_value = map[string]int32{
		"NONE":              0,
		"ON_DENY":           1,
		"ON_ALLOW":          2,
		"ON_DENY_AND_ALLOW": 3,
	}
)

Enum value maps for RBAC_AuditLoggingOptions_AuditCondition.

View Source 
var File_envoy_config_rbac_v3_rbac_proto protoreflect.FileDescriptor

Functions

This section is empty.

Types

type Action 

type Action struct {

	// The name indicates the policy name.
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// The action to take if the matcher matches. Every action either allows or denies a request,
	// and can also carry out action-specific operations.
	//
	// Actions:
	//
	//   - “ALLOW“: If the request gets matched on ALLOW, it is permitted.
	//   - “DENY“: If the request gets matched on DENY, it is not permitted.
	//   - “LOG“: If the request gets matched on LOG, it is permitted. Besides, the
	//     dynamic metadata key “access_log_hint“ under the shared key namespace
	//     “envoy.common“ will be set to the value “true“.
	//   - If the request cannot get matched, it will fallback to “DENY“.
	//
	// Log behavior:
	//
	//	If the RBAC matcher contains at least one LOG action, the dynamic
	//	metadata key “access_log_hint“ will be set based on if the request
	//	get matched on the LOG action.
	Action RBAC_Action `protobuf:"varint,2,opt,name=action,proto3,enum=envoy.config.rbac.v3.RBAC_Action" json:"action,omitempty"`
	// contains filtered or unexported fields
}

Action defines the result of allowance or denial when a request matches the matcher.

func (*Action) GetAction 

func (x *Action) GetAction() RBAC_Action

func (*Action) GetName 

func (x *Action) GetName() string

func (*Action) ProtoMessage 

func (*Action) ProtoMessage()

func (*Action) ProtoReflect 

func (x *Action) ProtoReflect() protoreflect.Message

func (*Action) Reset 

func (x *Action) Reset()

func (*Action) SetAction 

func (x *Action) SetAction(v RBAC_Action)

func (*Action) SetName 

func (x *Action) SetName(v string)

func (*Action) String 

func (x *Action) String() string

type Action_builder 

type Action_builder struct {

	// The name indicates the policy name.
	Name string
	// The action to take if the matcher matches. Every action either allows or denies a request,
	// and can also carry out action-specific operations.
	//
	// Actions:
	//
	//   - “ALLOW“: If the request gets matched on ALLOW, it is permitted.
	//   - “DENY“: If the request gets matched on DENY, it is not permitted.
	//   - “LOG“: If the request gets matched on LOG, it is permitted. Besides, the
	//     dynamic metadata key “access_log_hint“ under the shared key namespace
	//     “envoy.common“ will be set to the value “true“.
	//   - If the request cannot get matched, it will fallback to “DENY“.
	//
	// Log behavior:
	//
	//	If the RBAC matcher contains at least one LOG action, the dynamic
	//	metadata key “access_log_hint“ will be set based on if the request
	//	get matched on the LOG action.
	Action RBAC_Action
	// contains filtered or unexported fields
}

func (Action_builder) Build 

func (b0 Action_builder) Build() *Action

type Permission 

type Permission struct {

	// Types that are valid to be assigned to Rule:
	//
	//	*Permission_AndRules
	//	*Permission_OrRules
	//	*Permission_Any
	//	*Permission_Header
	//	*Permission_UrlPath
	//	*Permission_DestinationIp
	//	*Permission_DestinationPort
	//	*Permission_DestinationPortRange
	//	*Permission_Metadata
	//	*Permission_NotRule
	//	*Permission_RequestedServerName
	//	*Permission_Matcher
	Rule isPermission_Rule `protobuf_oneof:"rule"`
	// contains filtered or unexported fields
}

Permission defines an action (or actions) that a principal can take. [#next-free-field: 13]

func (*Permission) ClearAndRules 

func (x *Permission) ClearAndRules()

func (*Permission) ClearAny 

func (x *Permission) ClearAny()

func (*Permission) ClearDestinationIp 

func (x *Permission) ClearDestinationIp()

func (*Permission) ClearDestinationPort 

func (x *Permission) ClearDestinationPort()

func (*Permission) ClearDestinationPortRange 

func (x *Permission) ClearDestinationPortRange()

func (*Permission) ClearHeader 

func (x *Permission) ClearHeader()

func (*Permission) ClearMatcher 

func (x *Permission) ClearMatcher()

func (*Permission) ClearMetadata 

func (x *Permission) ClearMetadata()

func (*Permission) ClearNotRule 

func (x *Permission) ClearNotRule()

func (*Permission) ClearOrRules 

func (x *Permission) ClearOrRules()

func (*Permission) ClearRequestedServerName 

func (x *Permission) ClearRequestedServerName()

func (*Permission) ClearRule 

func (x *Permission) ClearRule()

func (*Permission) ClearUrlPath 

func (x *Permission) ClearUrlPath()

func (*Permission) GetAndRules 

func (x *Permission) GetAndRules() *Permission_Set

func (*Permission) GetAny 

func (x *Permission) GetAny() bool

func (*Permission) GetDestinationIp 

func (x *Permission) GetDestinationIp() *v32.CidrRange

func (*Permission) GetDestinationPort 

func (x *Permission) GetDestinationPort() uint32

func (*Permission) GetDestinationPortRange 

func (x *Permission) GetDestinationPortRange() *v33.Int32Range

func (*Permission) GetHeader 

func (x *Permission) GetHeader() *v3.HeaderMatcher

func (*Permission) GetMatcher 

func (x *Permission) GetMatcher() *v32.TypedExtensionConfig

func (*Permission) GetMetadata 

func (x *Permission) GetMetadata() *v31.MetadataMatcher

func (*Permission) GetNotRule 

func (x *Permission) GetNotRule() *Permission

func (*Permission) GetOrRules 

func (x *Permission) GetOrRules() *Permission_Set

func (*Permission) GetRequestedServerName 

func (x *Permission) GetRequestedServerName() *v31.StringMatcher

func (*Permission) GetRule 

func (x *Permission) GetRule() isPermission_Rule

func (*Permission) GetUrlPath 

func (x *Permission) GetUrlPath() *v31.PathMatcher

func (*Permission) HasAndRules 

func (x *Permission) HasAndRules() bool

func (*Permission) HasAny 

func (x *Permission) HasAny() bool

func (*Permission) HasDestinationIp 

func (x *Permission) HasDestinationIp() bool

func (*Permission) HasDestinationPort 

func (x *Permission) HasDestinationPort() bool

func (*Permission) HasDestinationPortRange 

func (x *Permission) HasDestinationPortRange() bool

func (*Permission) HasHeader 

func (x *Permission) HasHeader() bool

func (*Permission) HasMatcher 

func (x *Permission) HasMatcher() bool

func (*Permission) HasMetadata 

func (x *Permission) HasMetadata() bool

func (*Permission) HasNotRule 

func (x *Permission) HasNotRule() bool

func (*Permission) HasOrRules 

func (x *Permission) HasOrRules() bool

func (*Permission) HasRequestedServerName 

func (x *Permission) HasRequestedServerName() bool

func (*Permission) HasRule 

func (x *Permission) HasRule() bool

func (*Permission) HasUrlPath 

func (x *Permission) HasUrlPath() bool

func (*Permission) ProtoMessage 

func (*Permission) ProtoMessage()

func (*Permission) ProtoReflect 

func (x *Permission) ProtoReflect() protoreflect.Message

func (*Permission) Reset 

func (x *Permission) Reset()

func (*Permission) SetAndRules 

func (x *Permission) SetAndRules(v *Permission_Set)

func (*Permission) SetAny 

func (x *Permission) SetAny(v bool)

func (*Permission) SetDestinationIp 

func (x *Permission) SetDestinationIp(v *v32.CidrRange)

func (*Permission) SetDestinationPort 

func (x *Permission) SetDestinationPort(v uint32)

func (*Permission) SetDestinationPortRange 

func (x *Permission) SetDestinationPortRange(v *v33.Int32Range)

func (*Permission) SetHeader 

func (x *Permission) SetHeader(v *v3.HeaderMatcher)

func (*Permission) SetMatcher 

func (x *Permission) SetMatcher(v *v32.TypedExtensionConfig)

func (*Permission) SetMetadata 

func (x *Permission) SetMetadata(v *v31.MetadataMatcher)

func (*Permission) SetNotRule 

func (x *Permission) SetNotRule(v *Permission)

func (*Permission) SetOrRules 

func (x *Permission) SetOrRules(v *Permission_Set)

func (*Permission) SetRequestedServerName 

func (x *Permission) SetRequestedServerName(v *v31.StringMatcher)

func (*Permission) SetUrlPath 

func (x *Permission) SetUrlPath(v *v31.PathMatcher)

func (*Permission) String 

func (x *Permission) String() string

func (*Permission) WhichRule 

func (x *Permission) WhichRule() case_Permission_Rule

type Permission_AndRules 

type Permission_AndRules struct {
	// A set of rules that all must match in order to define the action.
	AndRules *Permission_Set `protobuf:"bytes,1,opt,name=and_rules,json=andRules,proto3,oneof"`
}

type Permission_Any 

type Permission_Any struct {
	// When any is set, it matches any action.
	Any bool `protobuf:"varint,3,opt,name=any,proto3,oneof"`
}

type Permission_DestinationIp 

type Permission_DestinationIp struct {
	// A CIDR block that describes the destination IP.
	DestinationIp *v32.CidrRange `protobuf:"bytes,5,opt,name=destination_ip,json=destinationIp,proto3,oneof"`
}

type Permission_DestinationPort 

type Permission_DestinationPort struct {
	// A port number that describes the destination port connecting to.
	DestinationPort uint32 `protobuf:"varint,6,opt,name=destination_port,json=destinationPort,proto3,oneof"`
}

type Permission_DestinationPortRange 

type Permission_DestinationPortRange struct {
	// A port number range that describes a range of destination ports connecting to.
	DestinationPortRange *v33.Int32Range `protobuf:"bytes,11,opt,name=destination_port_range,json=destinationPortRange,proto3,oneof"`
}

type Permission_Header 

type Permission_Header struct {
	// A header (or pseudo-header such as :path or :method) on the incoming HTTP request. Only
	// available for HTTP request.
	// Note: the pseudo-header :path includes the query and fragment string. Use the “url_path“
	// field if you want to match the URL path without the query and fragment string.
	Header *v3.HeaderMatcher `protobuf:"bytes,4,opt,name=header,proto3,oneof"`
}

type Permission_Matcher 

type Permission_Matcher struct {
	// Extension for configuring custom matchers for RBAC.
	// [#extension-category: envoy.rbac.matchers]
	Matcher *v32.TypedExtensionConfig `protobuf:"bytes,12,opt,name=matcher,proto3,oneof"`
}

type Permission_Metadata 

type Permission_Metadata struct {
	// Metadata that describes additional information about the action.
	Metadata *v31.MetadataMatcher `protobuf:"bytes,7,opt,name=metadata,proto3,oneof"`
}

type Permission_NotRule 

type Permission_NotRule struct {
	// Negates matching the provided permission. For instance, if the value of
	// “not_rule“ would match, this permission would not match. Conversely, if
	// the value of “not_rule“ would not match, this permission would match.
	NotRule *Permission `protobuf:"bytes,8,opt,name=not_rule,json=notRule,proto3,oneof"`
}

type Permission_OrRules 

type Permission_OrRules struct {
	// A set of rules where at least one must match in order to define the action.
	OrRules *Permission_Set `protobuf:"bytes,2,opt,name=or_rules,json=orRules,proto3,oneof"`
}

type Permission_RequestedServerName 

type Permission_RequestedServerName struct {
	// The request server from the client's connection request. This is
	// typically TLS SNI.
	//
	// .. attention::
	//
	//	The behavior of this field may be affected by how Envoy is configured
	//	as explained below.
	//
	//	* If the :ref:`TLS Inspector <config_listener_filters_tls_inspector>`
	//	  filter is not added, and if a “FilterChainMatch“ is not defined for
	//	  the :ref:`server name
	//	  <envoy_v3_api_field_config.listener.v3.FilterChainMatch.server_names>`,
	//	  a TLS connection's requested SNI server name will be treated as if it
	//	  wasn't present.
	//
	//	* A :ref:`listener filter <arch_overview_listener_filters>` may
	//	  overwrite a connection's requested server name within Envoy.
	//
	// Please refer to :ref:`this FAQ entry <faq_how_to_setup_sni>` to learn to
	// setup SNI.
	RequestedServerName *v31.StringMatcher `protobuf:"bytes,9,opt,name=requested_server_name,json=requestedServerName,proto3,oneof"`
}

type Permission_Set 

type Permission_Set struct {
	Rules []*Permission `protobuf:"bytes,1,rep,name=rules,proto3" json:"rules,omitempty"`
	// contains filtered or unexported fields
}

Used in the “and_rules“ and “or_rules“ fields in the “rule“ oneof. Depending on the context, each are applied with the associated behavior.

func (*Permission_Set) GetRules 

func (x *Permission_Set) GetRules() []*Permission

func (*Permission_Set) ProtoMessage 

func (*Permission_Set) ProtoMessage()

func (*Permission_Set) ProtoReflect 

func (x *Permission_Set) ProtoReflect() protoreflect.Message

func (*Permission_Set) Reset 

func (x *Permission_Set) Reset()

func (*Permission_Set) SetRules 

func (x *Permission_Set) SetRules(v []*Permission)

func (*Permission_Set) String 

func (x *Permission_Set) String() string

type Permission_Set_builder 

type Permission_Set_builder struct {
	Rules []*Permission
	// contains filtered or unexported fields
}

func (Permission_Set_builder) Build 

func (b0 Permission_Set_builder) Build() *Permission_Set

type Permission_UrlPath 

type Permission_UrlPath struct {
	// A URL path on the incoming HTTP request. Only available for HTTP.
	UrlPath *v31.PathMatcher `protobuf:"bytes,10,opt,name=url_path,json=urlPath,proto3,oneof"`
}

type Permission_builder 

type Permission_builder struct {

	// Fields of oneof Rule:
	// A set of rules that all must match in order to define the action.
	AndRules *Permission_Set
	// A set of rules where at least one must match in order to define the action.
	OrRules *Permission_Set
	// When any is set, it matches any action.
	Any *bool
	// A header (or pseudo-header such as :path or :method) on the incoming HTTP request. Only
	// available for HTTP request.
	// Note: the pseudo-header :path includes the query and fragment string. Use the “url_path“
	// field if you want to match the URL path without the query and fragment string.
	Header *v3.HeaderMatcher
	// A URL path on the incoming HTTP request. Only available for HTTP.
	UrlPath *v31.PathMatcher
	// A CIDR block that describes the destination IP.
	DestinationIp *v32.CidrRange
	// A port number that describes the destination port connecting to.
	DestinationPort *uint32
	// A port number range that describes a range of destination ports connecting to.
	DestinationPortRange *v33.Int32Range
	// Metadata that describes additional information about the action.
	Metadata *v31.MetadataMatcher
	// Negates matching the provided permission. For instance, if the value of
	// “not_rule“ would match, this permission would not match. Conversely, if
	// the value of “not_rule“ would not match, this permission would match.
	NotRule *Permission
	// The request server from the client's connection request. This is
	// typically TLS SNI.
	//
	// .. attention::
	//
	//	The behavior of this field may be affected by how Envoy is configured
	//	as explained below.
	//
	//	* If the :ref:`TLS Inspector <config_listener_filters_tls_inspector>`
	//	  filter is not added, and if a “FilterChainMatch“ is not defined for
	//	  the :ref:`server name
	//	  <envoy_v3_api_field_config.listener.v3.FilterChainMatch.server_names>`,
	//	  a TLS connection's requested SNI server name will be treated as if it
	//	  wasn't present.
	//
	//	* A :ref:`listener filter <arch_overview_listener_filters>` may
	//	  overwrite a connection's requested server name within Envoy.
	//
	// Please refer to :ref:`this FAQ entry <faq_how_to_setup_sni>` to learn to
	// setup SNI.
	RequestedServerName *v31.StringMatcher
	// Extension for configuring custom matchers for RBAC.
	// [#extension-category: envoy.rbac.matchers]
	Matcher *v32.TypedExtensionConfig
	// contains filtered or unexported fields
}

func (Permission_builder) Build 

func (b0 Permission_builder) Build() *Permission

type Policy 

type Policy struct {

	// Required. The set of permissions that define a role. Each permission is
	// matched with OR semantics. To match all actions for this policy, a single
	// Permission with the “any“ field set to true should be used.
	Permissions []*Permission `protobuf:"bytes,1,rep,name=permissions,proto3" json:"permissions,omitempty"`
	// Required. The set of principals that are assigned/denied the role based on
	// “action”. Each principal is matched with OR semantics. To match all
	// downstreams for this policy, a single Principal with the “any“ field set to
	// true should be used.
	Principals []*Principal `protobuf:"bytes,2,rep,name=principals,proto3" json:"principals,omitempty"`
	// An optional symbolic expression specifying an access control
	// :ref:`condition <arch_overview_condition>`. The condition is combined
	// with the permissions and the principals as a clause with AND semantics.
	// Only be used when checked_condition is not used.
	Condition *v1alpha1.Expr `protobuf:"bytes,3,opt,name=condition,proto3" json:"condition,omitempty"`
	// [#not-implemented-hide:]
	// An optional symbolic expression that has been successfully type checked.
	// Only be used when condition is not used.
	CheckedCondition *v1alpha1.CheckedExpr `protobuf:"bytes,4,opt,name=checked_condition,json=checkedCondition,proto3" json:"checked_condition,omitempty"`
	// contains filtered or unexported fields
}

Policy specifies a role and the principals that are assigned/denied the role. A policy matches if and only if at least one of its permissions match the action taking place AND at least one of its principals match the downstream AND the condition is true if specified.

func (*Policy) ClearCheckedCondition 

func (x *Policy) ClearCheckedCondition()

func (*Policy) ClearCondition 

func (x *Policy) ClearCondition()

func (*Policy) GetCheckedCondition 

func (x *Policy) GetCheckedCondition() *v1alpha1.CheckedExpr

func (*Policy) GetCondition 

func (x *Policy) GetCondition() *v1alpha1.Expr

func (*Policy) GetPermissions 

func (x *Policy) GetPermissions() []*Permission

func (*Policy) GetPrincipals 

func (x *Policy) GetPrincipals() []*Principal

func (*Policy) HasCheckedCondition 

func (x *Policy) HasCheckedCondition() bool

func (*Policy) HasCondition 

func (x *Policy) HasCondition() bool

func (*Policy) ProtoMessage 

func (*Policy) ProtoMessage()

func (*Policy) ProtoReflect 

func (x *Policy) ProtoReflect() protoreflect.Message

func (*Policy) Reset 

func (x *Policy) Reset()

func (*Policy) SetCheckedCondition 

func (x *Policy) SetCheckedCondition(v *v1alpha1.CheckedExpr)

func (*Policy) SetCondition 

func (x *Policy) SetCondition(v *v1alpha1.Expr)

func (*Policy) SetPermissions 

func (x *Policy) SetPermissions(v []*Permission)

func (*Policy) SetPrincipals 

func (x *Policy) SetPrincipals(v []*Principal)

func (*Policy) String 

func (x *Policy) String() string

type Policy_builder 

type Policy_builder struct {

	// Required. The set of permissions that define a role. Each permission is
	// matched with OR semantics. To match all actions for this policy, a single
	// Permission with the “any“ field set to true should be used.
	Permissions []*Permission
	// Required. The set of principals that are assigned/denied the role based on
	// “action”. Each principal is matched with OR semantics. To match all
	// downstreams for this policy, a single Principal with the “any“ field set to
	// true should be used.
	Principals []*Principal
	// An optional symbolic expression specifying an access control
	// :ref:`condition <arch_overview_condition>`. The condition is combined
	// with the permissions and the principals as a clause with AND semantics.
	// Only be used when checked_condition is not used.
	Condition *v1alpha1.Expr
	// [#not-implemented-hide:]
	// An optional symbolic expression that has been successfully type checked.
	// Only be used when condition is not used.
	CheckedCondition *v1alpha1.CheckedExpr
	// contains filtered or unexported fields
}

func (Policy_builder) Build 

func (b0 Policy_builder) Build() *Policy

type Principal 

type Principal struct {

	// Types that are valid to be assigned to Identifier:
	//
	//	*Principal_AndIds
	//	*Principal_OrIds
	//	*Principal_Any
	//	*Principal_Authenticated_
	//	*Principal_SourceIp
	//	*Principal_DirectRemoteIp
	//	*Principal_RemoteIp
	//	*Principal_Header
	//	*Principal_UrlPath
	//	*Principal_Metadata
	//	*Principal_FilterState
	//	*Principal_NotId
	Identifier isPrincipal_Identifier `protobuf_oneof:"identifier"`
	// contains filtered or unexported fields
}

Principal defines an identity or a group of identities for a downstream subject. [#next-free-field: 13]

func (*Principal) ClearAndIds 

func (x *Principal) ClearAndIds()

func (*Principal) ClearAny 

func (x *Principal) ClearAny()

func (*Principal) ClearAuthenticated 

func (x *Principal) ClearAuthenticated()

func (*Principal) ClearDirectRemoteIp 

func (x *Principal) ClearDirectRemoteIp()

func (*Principal) ClearFilterState 

func (x *Principal) ClearFilterState()

func (*Principal) ClearHeader 

func (x *Principal) ClearHeader()

func (*Principal) ClearIdentifier 

func (x *Principal) ClearIdentifier()

func (*Principal) ClearMetadata 

func (x *Principal) ClearMetadata()

func (*Principal) ClearNotId 

func (x *Principal) ClearNotId()

func (*Principal) ClearOrIds 

func (x *Principal) ClearOrIds()

func (*Principal) ClearRemoteIp 

func (x *Principal) ClearRemoteIp()

func (*Principal) ClearSourceIp deprecated 

func (x *Principal) ClearSourceIp()

Deprecated: Marked as deprecated in envoy/config/rbac/v3/rbac.proto.

func (*Principal) ClearUrlPath 

func (x *Principal) ClearUrlPath()

func (*Principal) GetAndIds 

func (x *Principal) GetAndIds() *Principal_Set

func (*Principal) GetAny 

func (x *Principal) GetAny() bool

func (*Principal) GetAuthenticated 

func (x *Principal) GetAuthenticated() *Principal_Authenticated

func (*Principal) GetDirectRemoteIp 

func (x *Principal) GetDirectRemoteIp() *v32.CidrRange

func (*Principal) GetFilterState 

func (x *Principal) GetFilterState() *v31.FilterStateMatcher

func (*Principal) GetHeader 

func (x *Principal) GetHeader() *v3.HeaderMatcher

func (*Principal) GetIdentifier 

func (x *Principal) GetIdentifier() isPrincipal_Identifier

func (*Principal) GetMetadata 

func (x *Principal) GetMetadata() *v31.MetadataMatcher

func (*Principal) GetNotId 

func (x *Principal) GetNotId() *Principal

func (*Principal) GetOrIds 

func (x *Principal) GetOrIds() *Principal_Set

func (*Principal) GetRemoteIp 

func (x *Principal) GetRemoteIp() *v32.CidrRange

func (*Principal) GetSourceIp deprecated 

func (x *Principal) GetSourceIp() *v32.CidrRange

Deprecated: Marked as deprecated in envoy/config/rbac/v3/rbac.proto.

func (*Principal) GetUrlPath 

func (x *Principal) GetUrlPath() *v31.PathMatcher

func (*Principal) HasAndIds 

func (x *Principal) HasAndIds() bool

func (*Principal) HasAny 

func (x *Principal) HasAny() bool

func (*Principal) HasAuthenticated 

func (x *Principal) HasAuthenticated() bool

func (*Principal) HasDirectRemoteIp 

func (x *Principal) HasDirectRemoteIp() bool

func (*Principal) HasFilterState 

func (x *Principal) HasFilterState() bool

func (*Principal) HasHeader 

func (x *Principal) HasHeader() bool

func (*Principal) HasIdentifier 

func (x *Principal) HasIdentifier() bool

func (*Principal) HasMetadata 

func (x *Principal) HasMetadata() bool

func (*Principal) HasNotId 

func (x *Principal) HasNotId() bool

func (*Principal) HasOrIds 

func (x *Principal) HasOrIds() bool

func (*Principal) HasRemoteIp 

func (x *Principal) HasRemoteIp() bool

func (*Principal) HasSourceIp deprecated 

func (x *Principal) HasSourceIp() bool

Deprecated: Marked as deprecated in envoy/config/rbac/v3/rbac.proto.

func (*Principal) HasUrlPath 

func (x *Principal) HasUrlPath() bool

func (*Principal) ProtoMessage 

func (*Principal) ProtoMessage()

func (*Principal) ProtoReflect 

func (x *Principal) ProtoReflect() protoreflect.Message

func (*Principal) Reset 

func (x *Principal) Reset()

func (*Principal) SetAndIds 

func (x *Principal) SetAndIds(v *Principal_Set)

func (*Principal) SetAny 

func (x *Principal) SetAny(v bool)

func (*Principal) SetAuthenticated 

func (x *Principal) SetAuthenticated(v *Principal_Authenticated)

func (*Principal) SetDirectRemoteIp 

func (x *Principal) SetDirectRemoteIp(v *v32.CidrRange)

func (*Principal) SetFilterState 

func (x *Principal) SetFilterState(v *v31.FilterStateMatcher)

func (*Principal) SetHeader 

func (x *Principal) SetHeader(v *v3.HeaderMatcher)

func (*Principal) SetMetadata 

func (x *Principal) SetMetadata(v *v31.MetadataMatcher)

func (*Principal) SetNotId 

func (x *Principal) SetNotId(v *Principal)

func (*Principal) SetOrIds 

func (x *Principal) SetOrIds(v *Principal_Set)

func (*Principal) SetRemoteIp 

func (x *Principal) SetRemoteIp(v *v32.CidrRange)

func (*Principal) SetSourceIp deprecated 

func (x *Principal) SetSourceIp(v *v32.CidrRange)

Deprecated: Marked as deprecated in envoy/config/rbac/v3/rbac.proto.

func (*Principal) SetUrlPath 

func (x *Principal) SetUrlPath(v *v31.PathMatcher)

func (*Principal) String 

func (x *Principal) String() string

func (*Principal) WhichIdentifier 

func (x *Principal) WhichIdentifier() case_Principal_Identifier

type Principal_AndIds 

type Principal_AndIds struct {
	// A set of identifiers that all must match in order to define the
	// downstream.
	AndIds *Principal_Set `protobuf:"bytes,1,opt,name=and_ids,json=andIds,proto3,oneof"`
}

type Principal_Any 

type Principal_Any struct {
	// When any is set, it matches any downstream.
	Any bool `protobuf:"varint,3,opt,name=any,proto3,oneof"`
}

type Principal_Authenticated 

type Principal_Authenticated struct {

	// The name of the principal. If set, The URI SAN or DNS SAN in that order
	// is used from the certificate, otherwise the subject field is used. If
	// unset, it applies to any user that is authenticated.
	PrincipalName *v31.StringMatcher `protobuf:"bytes,2,opt,name=principal_name,json=principalName,proto3" json:"principal_name,omitempty"`
	// contains filtered or unexported fields
}

Authentication attributes for a downstream.

func (*Principal_Authenticated) ClearPrincipalName 

func (x *Principal_Authenticated) ClearPrincipalName()

func (*Principal_Authenticated) GetPrincipalName 

func (x *Principal_Authenticated) GetPrincipalName() *v31.StringMatcher

func (*Principal_Authenticated) HasPrincipalName 

func (x *Principal_Authenticated) HasPrincipalName() bool

func (*Principal_Authenticated) ProtoMessage 

func (*Principal_Authenticated) ProtoMessage()

func (*Principal_Authenticated) ProtoReflect 

func (x *Principal_Authenticated) ProtoReflect() protoreflect.Message

func (*Principal_Authenticated) Reset 

func (x *Principal_Authenticated) Reset()

func (*Principal_Authenticated) SetPrincipalName 

func (x *Principal_Authenticated) SetPrincipalName(v *v31.StringMatcher)

func (*Principal_Authenticated) String 

func (x *Principal_Authenticated) String() string

type Principal_Authenticated_ 

type Principal_Authenticated_ struct {
	// Authenticated attributes that identify the downstream.
	Authenticated *Principal_Authenticated `protobuf:"bytes,4,opt,name=authenticated,proto3,oneof"`
}

type Principal_Authenticated_builder 

type Principal_Authenticated_builder struct {

	// The name of the principal. If set, The URI SAN or DNS SAN in that order
	// is used from the certificate, otherwise the subject field is used. If
	// unset, it applies to any user that is authenticated.
	PrincipalName *v31.StringMatcher
	// contains filtered or unexported fields
}

func (Principal_Authenticated_builder) Build 

func (b0 Principal_Authenticated_builder) Build() *Principal_Authenticated

type Principal_DirectRemoteIp 

type Principal_DirectRemoteIp struct {
	// A CIDR block that describes the downstream remote/origin address.
	// Note: This is always the physical peer even if the
	// :ref:`remote_ip <envoy_v3_api_field_config.rbac.v3.Principal.remote_ip>` is
	// inferred from for example the x-forwarder-for header, proxy protocol,
	// etc.
	DirectRemoteIp *v32.CidrRange `protobuf:"bytes,10,opt,name=direct_remote_ip,json=directRemoteIp,proto3,oneof"`
}

type Principal_FilterState 

type Principal_FilterState struct {
	// Identifies the principal using a filter state object.
	FilterState *v31.FilterStateMatcher `protobuf:"bytes,12,opt,name=filter_state,json=filterState,proto3,oneof"`
}

type Principal_Header 

type Principal_Header struct {
	// A header (or pseudo-header such as :path or :method) on the incoming HTTP
	// request. Only available for HTTP request. Note: the pseudo-header :path
	// includes the query and fragment string. Use the “url_path“ field if you
	// want to match the URL path without the query and fragment string.
	Header *v3.HeaderMatcher `protobuf:"bytes,6,opt,name=header,proto3,oneof"`
}

type Principal_Metadata 

type Principal_Metadata struct {
	// Metadata that describes additional information about the principal.
	Metadata *v31.MetadataMatcher `protobuf:"bytes,7,opt,name=metadata,proto3,oneof"`
}

type Principal_NotId 

type Principal_NotId struct {
	// Negates matching the provided principal. For instance, if the value of
	// “not_id“ would match, this principal would not match. Conversely, if the
	// value of “not_id“ would not match, this principal would match.
	NotId *Principal `protobuf:"bytes,8,opt,name=not_id,json=notId,proto3,oneof"`
}

type Principal_OrIds 

type Principal_OrIds struct {
	// A set of identifiers at least one must match in order to define the
	// downstream.
	OrIds *Principal_Set `protobuf:"bytes,2,opt,name=or_ids,json=orIds,proto3,oneof"`
}

type Principal_RemoteIp 

type Principal_RemoteIp struct {
	// A CIDR block that describes the downstream remote/origin address.
	// Note: This may not be the physical peer and could be different from the
	// :ref:`direct_remote_ip
	// <envoy_v3_api_field_config.rbac.v3.Principal.direct_remote_ip>`. E.g, if the
	// remote ip is inferred from for example the x-forwarder-for header, proxy
	// protocol, etc.
	RemoteIp *v32.CidrRange `protobuf:"bytes,11,opt,name=remote_ip,json=remoteIp,proto3,oneof"`
}

type Principal_Set 

type Principal_Set struct {
	Ids []*Principal `protobuf:"bytes,1,rep,name=ids,proto3" json:"ids,omitempty"`
	// contains filtered or unexported fields
}

Used in the “and_ids“ and “or_ids“ fields in the “identifier“ oneof. Depending on the context, each are applied with the associated behavior.

func (*Principal_Set) GetIds 

func (x *Principal_Set) GetIds() []*Principal

func (*Principal_Set) ProtoMessage 

func (*Principal_Set) ProtoMessage()

func (*Principal_Set) ProtoReflect 

func (x *Principal_Set) ProtoReflect() protoreflect.Message

func (*Principal_Set) Reset 

func (x *Principal_Set) Reset()

func (*Principal_Set) SetIds 

func (x *Principal_Set) SetIds(v []*Principal)

func (*Principal_Set) String 

func (x *Principal_Set) String() string

type Principal_Set_builder 

type Principal_Set_builder struct {
	Ids []*Principal
	// contains filtered or unexported fields
}

func (Principal_Set_builder) Build 

func (b0 Principal_Set_builder) Build() *Principal_Set

type Principal_SourceIp 

type Principal_SourceIp struct {
	// A CIDR block that describes the downstream IP.
	// This address will honor proxy protocol, but will not honor XFF.
	//
	// This field is deprecated; either use :ref:`remote_ip
	// <envoy_v3_api_field_config.rbac.v3.Principal.remote_ip>` for the same
	// behavior, or use
	// :ref:`direct_remote_ip <envoy_v3_api_field_config.rbac.v3.Principal.direct_remote_ip>`.
	//
	// Deprecated: Marked as deprecated in envoy/config/rbac/v3/rbac.proto.
	SourceIp *v32.CidrRange `protobuf:"bytes,5,opt,name=source_ip,json=sourceIp,proto3,oneof"`
}

type Principal_UrlPath 

type Principal_UrlPath struct {
	// A URL path on the incoming HTTP request. Only available for HTTP.
	UrlPath *v31.PathMatcher `protobuf:"bytes,9,opt,name=url_path,json=urlPath,proto3,oneof"`
}

type Principal_builder 

type Principal_builder struct {

	// Fields of oneof Identifier:
	// A set of identifiers that all must match in order to define the
	// downstream.
	AndIds *Principal_Set
	// A set of identifiers at least one must match in order to define the
	// downstream.
	OrIds *Principal_Set
	// When any is set, it matches any downstream.
	Any *bool
	// Authenticated attributes that identify the downstream.
	Authenticated *Principal_Authenticated
	// A CIDR block that describes the downstream IP.
	// This address will honor proxy protocol, but will not honor XFF.
	//
	// This field is deprecated; either use :ref:`remote_ip
	// <envoy_v3_api_field_config.rbac.v3.Principal.remote_ip>` for the same
	// behavior, or use
	// :ref:`direct_remote_ip <envoy_v3_api_field_config.rbac.v3.Principal.direct_remote_ip>`.
	//
	// Deprecated: Marked as deprecated in envoy/config/rbac/v3/rbac.proto.
	SourceIp *v32.CidrRange
	// A CIDR block that describes the downstream remote/origin address.
	// Note: This is always the physical peer even if the
	// :ref:`remote_ip <envoy_v3_api_field_config.rbac.v3.Principal.remote_ip>` is
	// inferred from for example the x-forwarder-for header, proxy protocol,
	// etc.
	DirectRemoteIp *v32.CidrRange
	// A CIDR block that describes the downstream remote/origin address.
	// Note: This may not be the physical peer and could be different from the
	// :ref:`direct_remote_ip
	// <envoy_v3_api_field_config.rbac.v3.Principal.direct_remote_ip>`. E.g, if the
	// remote ip is inferred from for example the x-forwarder-for header, proxy
	// protocol, etc.
	RemoteIp *v32.CidrRange
	// A header (or pseudo-header such as :path or :method) on the incoming HTTP
	// request. Only available for HTTP request. Note: the pseudo-header :path
	// includes the query and fragment string. Use the “url_path“ field if you
	// want to match the URL path without the query and fragment string.
	Header *v3.HeaderMatcher
	// A URL path on the incoming HTTP request. Only available for HTTP.
	UrlPath *v31.PathMatcher
	// Metadata that describes additional information about the principal.
	Metadata *v31.MetadataMatcher
	// Identifies the principal using a filter state object.
	FilterState *v31.FilterStateMatcher
	// Negates matching the provided principal. For instance, if the value of
	// “not_id“ would match, this principal would not match. Conversely, if the
	// value of “not_id“ would not match, this principal would match.
	NotId *Principal
	// contains filtered or unexported fields
}

func (Principal_builder) Build 

func (b0 Principal_builder) Build() *Principal

type RBAC 

type RBAC struct {

	// The action to take if a policy matches. Every action either allows or denies a request,
	// and can also carry out action-specific operations.
	//
	// Actions:
	//
	//   - “ALLOW“: Allows the request if and only if there is a policy that matches
	//     the request.
	//   - “DENY“: Allows the request if and only if there are no policies that
	//     match the request.
	//   - “LOG“: Allows all requests. If at least one policy matches, the dynamic
	//     metadata key “access_log_hint“ is set to the value “true“ under the shared
	//     key namespace “envoy.common“. If no policies match, it is set to “false“.
	//     Other actions do not modify this key.
	Action RBAC_Action `protobuf:"varint,1,opt,name=action,proto3,enum=envoy.config.rbac.v3.RBAC_Action" json:"action,omitempty"`
	// Maps from policy name to policy. A match occurs when at least one policy matches the request.
	// The policies are evaluated in lexicographic order of the policy name.
	Policies map[string]*Policy `` /* 143-byte string literal not displayed */
	// Audit logging options that include the condition for audit logging to happen
	// and audit logger configurations.
	//
	// [#not-implemented-hide:]
	AuditLoggingOptions *RBAC_AuditLoggingOptions `protobuf:"bytes,3,opt,name=audit_logging_options,json=auditLoggingOptions,proto3" json:"audit_logging_options,omitempty"`
	// contains filtered or unexported fields
}

Role Based Access Control (RBAC) provides service-level and method-level access control for a service. Requests are allowed or denied based on the “action“ and whether a matching policy is found. For instance, if the action is ALLOW and a matching policy is found the request should be allowed.

RBAC can also be used to make access logging decisions by communicating with access loggers through dynamic metadata. When the action is LOG and at least one policy matches, the “access_log_hint“ value in the shared key namespace 'envoy.common' is set to “true“ indicating the request should be logged.

Here is an example of RBAC configuration. It has two policies:

  • Service account “cluster.local/ns/default/sa/admin“ has full access to the service, and so does "cluster.local/ns/default/sa/superuser".

  • Any user can read (“GET“) the service at paths with prefix “/products“, so long as the destination port is either 80 or 443.

    .. code-block:: yaml

    action: ALLOW policies: "service-admin": permissions:

  • any: true principals:

  • authenticated: principal_name: exact: "cluster.local/ns/default/sa/admin"

  • authenticated: principal_name: exact: "cluster.local/ns/default/sa/superuser" "product-viewer": permissions:

  • and_rules: rules:

  • header: name: ":method" string_match: exact: "GET"

  • url_path: path: { prefix: "/products" }

  • or_rules: rules:

  • destination_port: 80

  • destination_port: 443 principals:

  • any: true

func (*RBAC) ClearAuditLoggingOptions 

func (x *RBAC) ClearAuditLoggingOptions()

func (*RBAC) GetAction 

func (x *RBAC) GetAction() RBAC_Action

func (*RBAC) GetAuditLoggingOptions 

func (x *RBAC) GetAuditLoggingOptions() *RBAC_AuditLoggingOptions

func (*RBAC) GetPolicies 

func (x *RBAC) GetPolicies() map[string]*Policy

func (*RBAC) HasAuditLoggingOptions 

func (x *RBAC) HasAuditLoggingOptions() bool

func (*RBAC) ProtoMessage 

func (*RBAC) ProtoMessage()

func (*RBAC) ProtoReflect 

func (x *RBAC) ProtoReflect() protoreflect.Message

func (*RBAC) Reset 

func (x *RBAC) Reset()

func (*RBAC) SetAction 

func (x *RBAC) SetAction(v RBAC_Action)

func (*RBAC) SetAuditLoggingOptions 

func (x *RBAC) SetAuditLoggingOptions(v *RBAC_AuditLoggingOptions)

func (*RBAC) SetPolicies 

func (x *RBAC) SetPolicies(v map[string]*Policy)

func (*RBAC) String 

func (x *RBAC) String() string

type RBAC_Action 

type RBAC_Action int32

Should we do safe-list or block-list style access control? 

const (
	// The policies grant access to principals. The rest are denied. This is safe-list style
	// access control. This is the default type.
	RBAC_ALLOW RBAC_Action = 0
	// The policies deny access to principals. The rest are allowed. This is block-list style
	// access control.
	RBAC_DENY RBAC_Action = 1
	// The policies set the “access_log_hint“ dynamic metadata key based on if requests match.
	// All requests are allowed.
	RBAC_LOG RBAC_Action = 2
)

func (RBAC_Action) Descriptor 

func (RBAC_Action) Descriptor() protoreflect.EnumDescriptor

func (RBAC_Action) Enum 

func (x RBAC_Action) Enum() *RBAC_Action

func (RBAC_Action) Number 

func (x RBAC_Action) Number() protoreflect.EnumNumber

func (RBAC_Action) String 

func (x RBAC_Action) String() string

func (RBAC_Action) Type 

func (RBAC_Action) Type() protoreflect.EnumType

type RBAC_AuditLoggingOptions 

type RBAC_AuditLoggingOptions struct {

	// Condition for the audit logging to happen.
	// If this condition is met, all the audit loggers configured here will be invoked.
	//
	// [#not-implemented-hide:]
	AuditCondition RBAC_AuditLoggingOptions_AuditCondition `` /* 170-byte string literal not displayed */
	// Configurations for RBAC-based authorization audit loggers.
	//
	// [#not-implemented-hide:]
	LoggerConfigs []*RBAC_AuditLoggingOptions_AuditLoggerConfig `protobuf:"bytes,2,rep,name=logger_configs,json=loggerConfigs,proto3" json:"logger_configs,omitempty"`
	// contains filtered or unexported fields
}

func (*RBAC_AuditLoggingOptions) GetAuditCondition 

func (x *RBAC_AuditLoggingOptions) GetAuditCondition() RBAC_AuditLoggingOptions_AuditCondition

func (*RBAC_AuditLoggingOptions) GetLoggerConfigs 

func (x *RBAC_AuditLoggingOptions) GetLoggerConfigs() []*RBAC_AuditLoggingOptions_AuditLoggerConfig

func (*RBAC_AuditLoggingOptions) ProtoMessage 

func (*RBAC_AuditLoggingOptions) ProtoMessage()

func (*RBAC_AuditLoggingOptions) ProtoReflect 

func (x *RBAC_AuditLoggingOptions) ProtoReflect() protoreflect.Message

func (*RBAC_AuditLoggingOptions) Reset 

func (x *RBAC_AuditLoggingOptions) Reset()

func (*RBAC_AuditLoggingOptions) SetAuditCondition 

func (x *RBAC_AuditLoggingOptions) SetAuditCondition(v RBAC_AuditLoggingOptions_AuditCondition)

func (*RBAC_AuditLoggingOptions) SetLoggerConfigs 

func (x *RBAC_AuditLoggingOptions) SetLoggerConfigs(v []*RBAC_AuditLoggingOptions_AuditLoggerConfig)

func (*RBAC_AuditLoggingOptions) String 

func (x *RBAC_AuditLoggingOptions) String() string

type RBAC_AuditLoggingOptions_AuditCondition 

type RBAC_AuditLoggingOptions_AuditCondition int32

Deny and allow here refer to RBAC decisions, not actions. 

const (
	// Never audit.
	RBAC_AuditLoggingOptions_NONE RBAC_AuditLoggingOptions_AuditCondition = 0
	// Audit when RBAC denies the request.
	RBAC_AuditLoggingOptions_ON_DENY RBAC_AuditLoggingOptions_AuditCondition = 1
	// Audit when RBAC allows the request.
	RBAC_AuditLoggingOptions_ON_ALLOW RBAC_AuditLoggingOptions_AuditCondition = 2
	// Audit whether RBAC allows or denies the request.
	RBAC_AuditLoggingOptions_ON_DENY_AND_ALLOW RBAC_AuditLoggingOptions_AuditCondition = 3
)

func (RBAC_AuditLoggingOptions_AuditCondition) Descriptor 

func (RBAC_AuditLoggingOptions_AuditCondition) Descriptor() protoreflect.EnumDescriptor

func (RBAC_AuditLoggingOptions_AuditCondition) Enum 

func (x RBAC_AuditLoggingOptions_AuditCondition) Enum() *RBAC_AuditLoggingOptions_AuditCondition

func (RBAC_AuditLoggingOptions_AuditCondition) Number 

func (x RBAC_AuditLoggingOptions_AuditCondition) Number() protoreflect.EnumNumber

func (RBAC_AuditLoggingOptions_AuditCondition) String 

func (x RBAC_AuditLoggingOptions_AuditCondition) String() string

func (RBAC_AuditLoggingOptions_AuditCondition) Type 

func (RBAC_AuditLoggingOptions_AuditCondition) Type() protoreflect.EnumType

type RBAC_AuditLoggingOptions_AuditLoggerConfig 

type RBAC_AuditLoggingOptions_AuditLoggerConfig struct {

	// Typed logger configuration.
	//
	// [#extension-category: envoy.rbac.audit_loggers]
	AuditLogger *v32.TypedExtensionConfig `protobuf:"bytes,1,opt,name=audit_logger,json=auditLogger,proto3" json:"audit_logger,omitempty"`
	// If true, when the logger is not supported, the data plane will not NACK but simply ignore it.
	IsOptional bool `protobuf:"varint,2,opt,name=is_optional,json=isOptional,proto3" json:"is_optional,omitempty"`
	// contains filtered or unexported fields
}

[#not-implemented-hide:]

func (*RBAC_AuditLoggingOptions_AuditLoggerConfig) ClearAuditLogger 

func (x *RBAC_AuditLoggingOptions_AuditLoggerConfig) ClearAuditLogger()

func (*RBAC_AuditLoggingOptions_AuditLoggerConfig) GetAuditLogger 

func (x *RBAC_AuditLoggingOptions_AuditLoggerConfig) GetAuditLogger() *v32.TypedExtensionConfig

func (*RBAC_AuditLoggingOptions_AuditLoggerConfig) GetIsOptional 

func (x *RBAC_AuditLoggingOptions_AuditLoggerConfig) GetIsOptional() bool

func (*RBAC_AuditLoggingOptions_AuditLoggerConfig) HasAuditLogger 

func (x *RBAC_AuditLoggingOptions_AuditLoggerConfig) HasAuditLogger() bool

func (*RBAC_AuditLoggingOptions_AuditLoggerConfig) ProtoMessage 

func (*RBAC_AuditLoggingOptions_AuditLoggerConfig) ProtoMessage()

func (*RBAC_AuditLoggingOptions_AuditLoggerConfig) ProtoReflect 

func (x *RBAC_AuditLoggingOptions_AuditLoggerConfig) ProtoReflect() protoreflect.Message

func (*RBAC_AuditLoggingOptions_AuditLoggerConfig) Reset 

func (x *RBAC_AuditLoggingOptions_AuditLoggerConfig) Reset()

func (*RBAC_AuditLoggingOptions_AuditLoggerConfig) SetAuditLogger 

func (x *RBAC_AuditLoggingOptions_AuditLoggerConfig) SetAuditLogger(v *v32.TypedExtensionConfig)

func (*RBAC_AuditLoggingOptions_AuditLoggerConfig) SetIsOptional 

func (x *RBAC_AuditLoggingOptions_AuditLoggerConfig) SetIsOptional(v bool)

func (*RBAC_AuditLoggingOptions_AuditLoggerConfig) String 

func (x *RBAC_AuditLoggingOptions_AuditLoggerConfig) String() string

type RBAC_AuditLoggingOptions_AuditLoggerConfig_builder 

type RBAC_AuditLoggingOptions_AuditLoggerConfig_builder struct {

	// Typed logger configuration.
	//
	// [#extension-category: envoy.rbac.audit_loggers]
	AuditLogger *v32.TypedExtensionConfig
	// If true, when the logger is not supported, the data plane will not NACK but simply ignore it.
	IsOptional bool
	// contains filtered or unexported fields
}

func (RBAC_AuditLoggingOptions_AuditLoggerConfig_builder) Build 

func (b0 RBAC_AuditLoggingOptions_AuditLoggerConfig_builder) Build() *RBAC_AuditLoggingOptions_AuditLoggerConfig

type RBAC_AuditLoggingOptions_builder 

type RBAC_AuditLoggingOptions_builder struct {

	// Condition for the audit logging to happen.
	// If this condition is met, all the audit loggers configured here will be invoked.
	//
	// [#not-implemented-hide:]
	AuditCondition RBAC_AuditLoggingOptions_AuditCondition
	// Configurations for RBAC-based authorization audit loggers.
	//
	// [#not-implemented-hide:]
	LoggerConfigs []*RBAC_AuditLoggingOptions_AuditLoggerConfig
	// contains filtered or unexported fields
}

func (RBAC_AuditLoggingOptions_builder) Build 

func (b0 RBAC_AuditLoggingOptions_builder) Build() *RBAC_AuditLoggingOptions

type RBAC_builder 

type RBAC_builder struct {

	// The action to take if a policy matches. Every action either allows or denies a request,
	// and can also carry out action-specific operations.
	//
	// Actions:
	//
	//   - “ALLOW“: Allows the request if and only if there is a policy that matches
	//     the request.
	//   - “DENY“: Allows the request if and only if there are no policies that
	//     match the request.
	//   - “LOG“: Allows all requests. If at least one policy matches, the dynamic
	//     metadata key “access_log_hint“ is set to the value “true“ under the shared
	//     key namespace “envoy.common“. If no policies match, it is set to “false“.
	//     Other actions do not modify this key.
	Action RBAC_Action
	// Maps from policy name to policy. A match occurs when at least one policy matches the request.
	// The policies are evaluated in lexicographic order of the policy name.
	Policies map[string]*Policy
	// Audit logging options that include the condition for audit logging to happen
	// and audit logger configurations.
	//
	// [#not-implemented-hide:]
	AuditLoggingOptions *RBAC_AuditLoggingOptions
	// contains filtered or unexported fields
}

func (RBAC_builder) Build 

func (b0 RBAC_builder) Build() *RBAC

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.