v1alpha1

package
v0.0.0-...-f6b6c41 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 18, 2019 License: Apache-2.0 Imports: 4 Imported by: 0

Documentation

Overview

Package v1alpha1 is a generated protocol buffer package.

Istio RBAC (Role Based Access Control) defines ServiceRole and ServiceRoleBinding objects.

A ServiceRole specification includes a list of rules (permissions). Each rule has the following standard fields:

  • services: a list of services.
  • methods: HTTP methods. In the case of gRPC, this field is ignored because the value is always "POST".
  • paths: HTTP paths or gRPC methods. Note that gRPC methods should be presented in the form of "/packageName.serviceName/methodName" and are case sensitive.

In addition to the standard fields, operators can also use custom keys in the `constraints` field, the supported keys are listed in the "constraints and properties" page.

Below is an example of ServiceRole object "product-viewer", which has "read" ("GET" and "HEAD") access to "products.svc.cluster.local" service at versions "v1" and "v2". "path" is not specified, so it applies to any path in the service.

```yaml apiVersion: "rbac.istio.io/v1alpha1" kind: ServiceRole metadata: 

name: products-viewer
namespace: default

spec: 

rules:
- services: ["products.svc.cluster.local"]
  methods: ["GET", "HEAD"]
  constraints:
  - key: "destination.labels[version]"
    value: ["v1", "v2"]

```

A ServiceRoleBinding specification includes two parts:

  • The `roleRef` field that refers to a ServiceRole object in the same namespace.
  • A list of `subjects` that are assigned the roles.

In addition to a simple `user` field, operators can also use custom keys in the `properties` field, the supported keys are listed in the "constraints and properties" page.

Below is an example of ServiceRoleBinding object "test-binding-products", which binds two subjects to ServiceRole "product-viewer":

  • User "alice@yahoo.com"
  • Services in "abc" namespace.

```yaml apiVersion: "rbac.istio.io/v1alpha1" kind: ServiceRoleBinding metadata: 

name: test-binding-products
namespace: default

spec: 

subjects:
- user: alice@yahoo.com
- properties:
    source.namespace: "abc"
roleRef:
  kind: ServiceRole
  name: "products-viewer"

```

It is generated from these files: 

rbac/v1alpha1/rbac.proto

It has these top-level messages: 

WorkloadSelector
AuthorizationPolicy
ServiceRole
AccessRule
ServiceRoleBinding
Subject
RoleRef
RbacConfig

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrInvalidLengthRbac = fmt.Errorf("proto: negative length found during unmarshaling")
	ErrIntOverflowRbac   = fmt.Errorf("proto: integer overflow")
)
View Source 
var EnforcementMode_name = map[int32]string{
	0: "ENFORCED",
	1: "PERMISSIVE",
}
View Source 
var EnforcementMode_value = map[string]int32{
	"ENFORCED":   0,
	"PERMISSIVE": 1,
}
View Source 
var RbacConfig_Mode_name = map[int32]string{
	0: "OFF",
	1: "ON",
	2: "ON_WITH_INCLUSION",
	3: "ON_WITH_EXCLUSION",
}
View Source 
var RbacConfig_Mode_value = map[string]int32{
	"OFF":               0,
	"ON":                1,
	"ON_WITH_INCLUSION": 2,
	"ON_WITH_EXCLUSION": 3,
}

Functions

This section is empty.

Types

type AccessRule 

type AccessRule struct {
	// Required. A list of service names.
	// Exact match, prefix match, and suffix match are supported for service names.
	// For example, the service name "bookstore.mtv.cluster.local" matches
	// "bookstore.mtv.cluster.local" (exact match), or "bookstore*" (prefix match),
	// or "*.mtv.cluster.local" (suffix match).
	// If set to ["*"], it refers to all services in the namespace.
	Services []string `protobuf:"bytes,1,rep,name=services" json:"services,omitempty"`
	// $hide_from_docs
	// Optional. A list of HTTP hosts. This is matched against the HOST header in
	// a HTTP request. Exact match, prefix match and suffix match are supported.
	// For example, the host "test.abc.com" matches "test.abc.com" (exact match),
	// or "*.abc.com" (prefix match), or "test.abc.*" (suffix match).
	// If not specified, it matches to any host.
	Hosts []string `protobuf:"bytes,5,rep,name=hosts" json:"hosts,omitempty"`
	// $hide_from_docs
	// Optional. A list of HTTP hosts that must not be matched.
	NotHosts []string `protobuf:"bytes,6,rep,name=not_hosts,json=notHosts" json:"not_hosts,omitempty"`
	// Optional. A list of HTTP paths or gRPC methods.
	// gRPC methods must be presented as fully-qualified name in the form of
	// "/packageName.serviceName/methodName" and are case sensitive.
	// Exact match, prefix match, and suffix match are supported. For example,
	// the path "/books/review" matches "/books/review" (exact match),
	// or "/books/*" (prefix match), or "*/review" (suffix match).
	// If not specified, it matches to any path.
	Paths []string `protobuf:"bytes,2,rep,name=paths" json:"paths,omitempty"`
	// $hide_from_docs
	// Optional. A list of HTTP paths or gRPC methods that must not be matched.
	NotPaths []string `protobuf:"bytes,7,rep,name=not_paths,json=notPaths" json:"not_paths,omitempty"`
	// Optional. A list of HTTP methods (e.g., "GET", "POST").
	// It is ignored in gRPC case because the value is always "POST".
	// If not specified, it matches to any methods.
	Methods []string `protobuf:"bytes,3,rep,name=methods" json:"methods,omitempty"`
	// $hide_from_docs
	// Optional. A list of HTTP methods that must not be matched.
	// Note: It's an error to set methods and not_methods at the same time.
	NotMethods []string `protobuf:"bytes,8,rep,name=not_methods,json=notMethods" json:"not_methods,omitempty"`
	// $hide_from_docs
	// Optional. A list of port numbers of the request. If not specified, it matches
	// to any port number.
	// Note: It's an error to set ports and not_ports at the same time.
	Ports []int32 `protobuf:"varint,9,rep,packed,name=ports" json:"ports,omitempty"`
	// $hide_from_docs
	// Optional.  A list of port numbers that must not be matched.
	// Note: It's an error to set ports and not_ports at the same time.
	NotPorts []int32 `protobuf:"varint,10,rep,packed,name=not_ports,json=notPorts" json:"not_ports,omitempty"`
	// Optional. Extra constraints in the ServiceRole specification.
	Constraints []*AccessRule_Constraint `protobuf:"bytes,4,rep,name=constraints" json:"constraints,omitempty"`
}

AccessRule defines a permission to access a list of services.

func (*AccessRule) Descriptor 

func (*AccessRule) Descriptor() ([]byte, []int)

func (*AccessRule) GetConstraints 

func (m *AccessRule) GetConstraints() []*AccessRule_Constraint

func (*AccessRule) GetHosts 

func (m *AccessRule) GetHosts() []string

func (*AccessRule) GetMethods 

func (m *AccessRule) GetMethods() []string

func (*AccessRule) GetNotHosts 

func (m *AccessRule) GetNotHosts() []string

func (*AccessRule) GetNotMethods 

func (m *AccessRule) GetNotMethods() []string

func (*AccessRule) GetNotPaths 

func (m *AccessRule) GetNotPaths() []string

func (*AccessRule) GetNotPorts 

func (m *AccessRule) GetNotPorts() []int32

func (*AccessRule) GetPaths 

func (m *AccessRule) GetPaths() []string

func (*AccessRule) GetPorts 

func (m *AccessRule) GetPorts() []int32

func (*AccessRule) GetServices 

func (m *AccessRule) GetServices() []string

func (*AccessRule) Marshal 

func (m *AccessRule) Marshal() (dAtA []byte, err error)

func (*AccessRule) MarshalTo 

func (m *AccessRule) MarshalTo(dAtA []byte) (int, error)

func (*AccessRule) ProtoMessage 

func (*AccessRule) ProtoMessage()

func (*AccessRule) Reset 

func (m *AccessRule) Reset()

func (*AccessRule) Size 

func (m *AccessRule) Size() (n int)

func (*AccessRule) String 

func (m *AccessRule) String() string

func (*AccessRule) Unmarshal 

func (m *AccessRule) Unmarshal(dAtA []byte) error

type AccessRule_Constraint 

type AccessRule_Constraint struct {
	// Key of the constraint.
	Key string `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"`
	// List of valid values for the constraint.
	// Exact match, prefix match, and suffix match are supported.
	// For example, the value "v1alpha2" matches "v1alpha2" (exact match),
	// or "v1*" (prefix match), or "*alpha2" (suffix match).
	Values []string `protobuf:"bytes,2,rep,name=values" json:"values,omitempty"`
}

Definition of a custom constraint. The supported keys are listed in the "constraint and properties" page.

func (*AccessRule_Constraint) Descriptor 

func (*AccessRule_Constraint) Descriptor() ([]byte, []int)

func (*AccessRule_Constraint) GetKey 

func (m *AccessRule_Constraint) GetKey() string

func (*AccessRule_Constraint) GetValues 

func (m *AccessRule_Constraint) GetValues() []string

func (*AccessRule_Constraint) Marshal 

func (m *AccessRule_Constraint) Marshal() (dAtA []byte, err error)

func (*AccessRule_Constraint) MarshalTo 

func (m *AccessRule_Constraint) MarshalTo(dAtA []byte) (int, error)

func (*AccessRule_Constraint) ProtoMessage 

func (*AccessRule_Constraint) ProtoMessage()

func (*AccessRule_Constraint) Reset 

func (m *AccessRule_Constraint) Reset()

func (*AccessRule_Constraint) Size 

func (m *AccessRule_Constraint) Size() (n int)

func (*AccessRule_Constraint) String 

func (m *AccessRule_Constraint) String() string

func (*AccessRule_Constraint) Unmarshal 

func (m *AccessRule_Constraint) Unmarshal(dAtA []byte) error

type AuthorizationPolicy 

type AuthorizationPolicy struct {
	// $hide_from_docs
	// Optional. One or more labels that indicate a specific set of pods/VMs
	// on which this authorization policy should be applied. Leave this empty to
	// select all pods/VMs.
	// The scope of label search is platform dependent. On Kubernetes, for example,
	// the scope includes pods running in the same namespace as the authorization policy itself.
	WorkloadSelector *WorkloadSelector `protobuf:"bytes,1,opt,name=workload_selector,json=workloadSelector" json:"workload_selector,omitempty"`
	// $hide_from_docs
	// A list of bindings that specify the subjects and permissions to the selected workload.
	Allow []*ServiceRoleBinding `protobuf:"bytes,2,rep,name=allow" json:"allow,omitempty"`
}

$hide_from_docs AuthorizationPolicy to enforce access control on a selected workload.

func (*AuthorizationPolicy) Descriptor 

func (*AuthorizationPolicy) Descriptor() ([]byte, []int)

func (*AuthorizationPolicy) GetAllow 

func (m *AuthorizationPolicy) GetAllow() []*ServiceRoleBinding

func (*AuthorizationPolicy) GetWorkloadSelector 

func (m *AuthorizationPolicy) GetWorkloadSelector() *WorkloadSelector

func (*AuthorizationPolicy) Marshal 

func (m *AuthorizationPolicy) Marshal() (dAtA []byte, err error)

func (*AuthorizationPolicy) MarshalTo 

func (m *AuthorizationPolicy) MarshalTo(dAtA []byte) (int, error)

func (*AuthorizationPolicy) ProtoMessage 

func (*AuthorizationPolicy) ProtoMessage()

func (*AuthorizationPolicy) Reset 

func (m *AuthorizationPolicy) Reset()

func (*AuthorizationPolicy) Size 

func (m *AuthorizationPolicy) Size() (n int)

func (*AuthorizationPolicy) String 

func (m *AuthorizationPolicy) String() string

func (*AuthorizationPolicy) Unmarshal 

func (m *AuthorizationPolicy) Unmarshal(dAtA []byte) error

type EnforcementMode 

type EnforcementMode int32

$hide_from_docs RBAC ServiceRoleBinding enforcement mode, used to verify new ServiceRoleBinding configs work as expected before rolling to production. RBAC engine only logs results from configs that are in permissive mode, and discards result before returning to the user. 

const (
	// Policy in ENFORCED mode has impact on user experience.
	// Policy is in ENFORCED mode by default.
	EnforcementMode_ENFORCED EnforcementMode = 0
	// Policy in PERMISSIVE mode isn't enforced and has no impact on users.
	// RBAC engine run policies in PERMISSIVE mode and logs stats.
	EnforcementMode_PERMISSIVE EnforcementMode = 1
)

func (EnforcementMode) EnumDescriptor 

func (EnforcementMode) EnumDescriptor() ([]byte, []int)

func (EnforcementMode) String 

func (x EnforcementMode) String() string

type RbacConfig 

type RbacConfig struct {
	// Istio RBAC mode.
	Mode RbacConfig_Mode `protobuf:"varint,1,opt,name=mode,proto3,enum=istio.rbac.v1alpha1.RbacConfig_Mode" json:"mode,omitempty"`
	// A list of services or namespaces that should be enforced by Istio RBAC policies. Note: This field have
	// effect only when mode is ON_WITH_INCLUSION and will be ignored for any other modes.
	Inclusion *RbacConfig_Target `protobuf:"bytes,2,opt,name=inclusion" json:"inclusion,omitempty"`
	// A list of services or namespaces that should not be enforced by Istio RBAC policies. Note: This field have
	// effect only when mode is ON_WITH_EXCLUSION and will be ignored for any other modes.
	Exclusion *RbacConfig_Target `protobuf:"bytes,3,opt,name=exclusion" json:"exclusion,omitempty"`
	// $hide_from_docs
	// Indicates enforcement mode of the RbacConfig, in ENFORCED mode by default.
	// It's used to verify new RbacConfig work as expected before rolling to production.
	// When setting as PERMISSIVE, RBAC isn't enforced and has no impact on users.
	// RBAC engine run RbacConfig in PERMISSIVE mode and logs stats.
	// Invalid to set RbacConfig in PERMISSIVE and ServiceRoleBinding in ENFORCED mode.
	EnforcementMode EnforcementMode `` /* 148-byte string literal not displayed */
}

RbacConfig defines the global config to control Istio RBAC behavior. This Custom Resource is a singleton where only one Custom Resource should be created globally in the mesh and the namespace should be the same to other Istio components, which usually is istio-system. Note: This is enforced in both istioctl and server side, new Custom Resource will be rejected if found any existing one, the user should either delete the existing one or change the existing one directly.

Below is an example of RbacConfig object "istio-rbac-config" which enables Istio RBAC for all services in the default namespace.

```yaml apiVersion: "rbac.istio.io/v1alpha1" kind: RbacConfig metadata: 

name: default
namespace: istio-system

spec: 

mode: ON_WITH_INCLUSION
inclusion:
  namespaces: [ "default" ]

```

func (*RbacConfig) Descriptor 

func (*RbacConfig) Descriptor() ([]byte, []int)

func (*RbacConfig) GetEnforcementMode 

func (m *RbacConfig) GetEnforcementMode() EnforcementMode

func (*RbacConfig) GetExclusion 

func (m *RbacConfig) GetExclusion() *RbacConfig_Target

func (*RbacConfig) GetInclusion 

func (m *RbacConfig) GetInclusion() *RbacConfig_Target

func (*RbacConfig) GetMode 

func (m *RbacConfig) GetMode() RbacConfig_Mode

func (*RbacConfig) Marshal 

func (m *RbacConfig) Marshal() (dAtA []byte, err error)

func (*RbacConfig) MarshalTo 

func (m *RbacConfig) MarshalTo(dAtA []byte) (int, error)

func (*RbacConfig) ProtoMessage 

func (*RbacConfig) ProtoMessage()

func (*RbacConfig) Reset 

func (m *RbacConfig) Reset()

func (*RbacConfig) Size 

func (m *RbacConfig) Size() (n int)

func (*RbacConfig) String 

func (m *RbacConfig) String() string

func (*RbacConfig) Unmarshal 

func (m *RbacConfig) Unmarshal(dAtA []byte) error

type RbacConfig_Mode 

type RbacConfig_Mode int32
const (
	// Disable Istio RBAC completely, any other config in RbacConfig will be ignored and Istio RBAC policies
	// will not be enforced.
	RbacConfig_OFF RbacConfig_Mode = 0
	// Enable Istio RBAC for all services and namespaces.
	RbacConfig_ON RbacConfig_Mode = 1
	// Enable Istio RBAC only for services and namespaces specified in the inclusion field. Any other
	// services and namespaces not in the inclusion field will not be enforced by Istio RBAC policies.
	RbacConfig_ON_WITH_INCLUSION RbacConfig_Mode = 2
	// Enable Istio RBAC for all services and namespaces except those specified in the exclusion field. Any other
	// services and namespaces not in the exclusion field will be enforced by Istio RBAC policies.
	RbacConfig_ON_WITH_EXCLUSION RbacConfig_Mode = 3
)

func (RbacConfig_Mode) EnumDescriptor 

func (RbacConfig_Mode) EnumDescriptor() ([]byte, []int)

func (RbacConfig_Mode) String 

func (x RbacConfig_Mode) String() string

type RbacConfig_Target 

type RbacConfig_Target struct {
	// A list of services.
	Services []string `protobuf:"bytes,1,rep,name=services" json:"services,omitempty"`
	// $hide_from_docs
	// A list of workloads.
	WorkloadSelectors []*WorkloadSelector `protobuf:"bytes,3,rep,name=workload_selectors,json=workloadSelectors" json:"workload_selectors,omitempty"`
	// A list of namespaces.
	Namespaces []string `protobuf:"bytes,2,rep,name=namespaces" json:"namespaces,omitempty"`
}

Target defines a list of services or namespaces.

func (*RbacConfig_Target) Descriptor 

func (*RbacConfig_Target) Descriptor() ([]byte, []int)

func (*RbacConfig_Target) GetNamespaces 

func (m *RbacConfig_Target) GetNamespaces() []string

func (*RbacConfig_Target) GetServices 

func (m *RbacConfig_Target) GetServices() []string

func (*RbacConfig_Target) GetWorkloadSelectors 

func (m *RbacConfig_Target) GetWorkloadSelectors() []*WorkloadSelector

func (*RbacConfig_Target) Marshal 

func (m *RbacConfig_Target) Marshal() (dAtA []byte, err error)

func (*RbacConfig_Target) MarshalTo 

func (m *RbacConfig_Target) MarshalTo(dAtA []byte) (int, error)

func (*RbacConfig_Target) ProtoMessage 

func (*RbacConfig_Target) ProtoMessage()

func (*RbacConfig_Target) Reset 

func (m *RbacConfig_Target) Reset()

func (*RbacConfig_Target) Size 

func (m *RbacConfig_Target) Size() (n int)

func (*RbacConfig_Target) String 

func (m *RbacConfig_Target) String() string

func (*RbacConfig_Target) Unmarshal 

func (m *RbacConfig_Target) Unmarshal(dAtA []byte) error

type RoleRef 

type RoleRef struct {
	// Required. The type of the role being referenced.
	// Currently, "ServiceRole" is the only supported value for "kind".
	Kind string `protobuf:"bytes,1,opt,name=kind,proto3" json:"kind,omitempty"`
	// Required. The name of the ServiceRole object being referenced.
	// The ServiceRole object must be in the same namespace as the ServiceRoleBinding object.
	Name string `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"`
}

RoleRef refers to a role object.

func (*RoleRef) Descriptor 

func (*RoleRef) Descriptor() ([]byte, []int)

func (*RoleRef) GetKind 

func (m *RoleRef) GetKind() string

func (*RoleRef) GetName 

func (m *RoleRef) GetName() string

func (*RoleRef) Marshal 

func (m *RoleRef) Marshal() (dAtA []byte, err error)

func (*RoleRef) MarshalTo 

func (m *RoleRef) MarshalTo(dAtA []byte) (int, error)

func (*RoleRef) ProtoMessage 

func (*RoleRef) ProtoMessage()

func (*RoleRef) Reset 

func (m *RoleRef) Reset()

func (*RoleRef) Size 

func (m *RoleRef) Size() (n int)

func (*RoleRef) String 

func (m *RoleRef) String() string

func (*RoleRef) Unmarshal 

func (m *RoleRef) Unmarshal(dAtA []byte) error

type ServiceRole 

type ServiceRole struct {
	// Required. The set of access rules (permissions) that the role has.
	Rules []*AccessRule `protobuf:"bytes,1,rep,name=rules" json:"rules,omitempty"`
}

ServiceRole specification contains a list of access rules (permissions).

func (*ServiceRole) Descriptor 

func (*ServiceRole) Descriptor() ([]byte, []int)

func (*ServiceRole) GetRules 

func (m *ServiceRole) GetRules() []*AccessRule

func (*ServiceRole) Marshal 

func (m *ServiceRole) Marshal() (dAtA []byte, err error)

func (*ServiceRole) MarshalTo 

func (m *ServiceRole) MarshalTo(dAtA []byte) (int, error)

func (*ServiceRole) ProtoMessage 

func (*ServiceRole) ProtoMessage()

func (*ServiceRole) Reset 

func (m *ServiceRole) Reset()

func (*ServiceRole) Size 

func (m *ServiceRole) Size() (n int)

func (*ServiceRole) String 

func (m *ServiceRole) String() string

func (*ServiceRole) Unmarshal 

func (m *ServiceRole) Unmarshal(dAtA []byte) error

type ServiceRoleBinding 

type ServiceRoleBinding struct {
	// Required. List of subjects that are assigned the ServiceRole object.
	Subjects []*Subject `protobuf:"bytes,1,rep,name=subjects" json:"subjects,omitempty"`
	// Required. Reference to the ServiceRole object.
	RoleRef *RoleRef `protobuf:"bytes,2,opt,name=roleRef" json:"roleRef,omitempty"`
	// $hide_from_docs
	// Indicates enforcement mode of the ServiceRoleBinding.
	Mode EnforcementMode `protobuf:"varint,3,opt,name=mode,proto3,enum=istio.rbac.v1alpha1.EnforcementMode" json:"mode,omitempty"`
}

ServiceRoleBinding assigns a ServiceRole to a list of subjects.

func (*ServiceRoleBinding) Descriptor 

func (*ServiceRoleBinding) Descriptor() ([]byte, []int)

func (*ServiceRoleBinding) GetMode 

func (m *ServiceRoleBinding) GetMode() EnforcementMode

func (*ServiceRoleBinding) GetRoleRef 

func (m *ServiceRoleBinding) GetRoleRef() *RoleRef

func (*ServiceRoleBinding) GetSubjects 

func (m *ServiceRoleBinding) GetSubjects() []*Subject

func (*ServiceRoleBinding) Marshal 

func (m *ServiceRoleBinding) Marshal() (dAtA []byte, err error)

func (*ServiceRoleBinding) MarshalTo 

func (m *ServiceRoleBinding) MarshalTo(dAtA []byte) (int, error)

func (*ServiceRoleBinding) ProtoMessage 

func (*ServiceRoleBinding) ProtoMessage()

func (*ServiceRoleBinding) Reset 

func (m *ServiceRoleBinding) Reset()

func (*ServiceRoleBinding) Size 

func (m *ServiceRoleBinding) Size() (n int)

func (*ServiceRoleBinding) String 

func (m *ServiceRoleBinding) String() string

func (*ServiceRoleBinding) Unmarshal 

func (m *ServiceRoleBinding) Unmarshal(dAtA []byte) error

type Subject 

type Subject struct {
	// Optional. The user name/ID that the subject represents.
	User string `protobuf:"bytes,1,opt,name=user,proto3" json:"user,omitempty"`
	// $hide_from_docs
	// Optional. A list of principals that the subject represents. This is matched to the
	// `source.principal` attribute. If not specified, it applies to any principals.
	Principals []string `protobuf:"bytes,4,rep,name=principals" json:"principals,omitempty"`
	// $hide_from_docs
	// Optional. A list of principals that must not be matched.
	NotPrincipals []string `protobuf:"bytes,5,rep,name=not_principals,json=notPrincipals" json:"not_principals,omitempty"`
	// $hide_from_docs
	// Optional. The group that the subject belongs to.
	// Deprecated. Use groups and not_groups instead.
	Group string `protobuf:"bytes,2,opt,name=group,proto3" json:"group,omitempty"`
	// $hide_from_docs
	// Optional. A list of groups that the subject represents. This is matched to the
	// `request.auth.claims[groups]` attribute. If not specified, it applies to any groups.
	Groups []string `protobuf:"bytes,6,rep,name=groups" json:"groups,omitempty"`
	// $hide_from_docs
	// Optional. A list of groups that must not be matched.
	NotGroups []string `protobuf:"bytes,7,rep,name=not_groups,json=notGroups" json:"not_groups,omitempty"`
	// $hide_from_docs
	// Optional. A list of namespaces that the subject represents. This is matched to
	// the `source.namespace` attribute. If not specified, it applies to any namespaces.
	Namespaces []string `protobuf:"bytes,8,rep,name=namespaces" json:"namespaces,omitempty"`
	// $hide_from_docs
	// Optional. A list of namespaces that must not be matched.
	NotNamespaces []string `protobuf:"bytes,9,rep,name=not_namespaces,json=notNamespaces" json:"not_namespaces,omitempty"`
	// $hide_from_docs
	// Optional. A list of IP address or CIDR ranges that the subject represents.
	// E.g. 192.168.100.2 or 10.1.0.0/16. If not specified, it applies to any IP addresses.
	Ips []string `protobuf:"bytes,10,rep,name=ips" json:"ips,omitempty"`
	// $hide_from_docs
	// Optional. A list of IP addresses or CIDR ranges that must not be matched.
	NotIps []string `protobuf:"bytes,11,rep,name=not_ips,json=notIps" json:"not_ips,omitempty"`
	// Optional. The set of properties that identify the subject.
	Properties map[string]string `` /* 154-byte string literal not displayed */
}

Subject defines an identity. The identity is either a user or identified by a set of `properties`. The supported keys in `properties` are listed in "constraint and properties" page.

func (*Subject) Descriptor 

func (*Subject) Descriptor() ([]byte, []int)

func (*Subject) GetGroup 

func (m *Subject) GetGroup() string

func (*Subject) GetGroups 

func (m *Subject) GetGroups() []string

func (*Subject) GetIps 

func (m *Subject) GetIps() []string

func (*Subject) GetNamespaces 

func (m *Subject) GetNamespaces() []string

func (*Subject) GetNotGroups 

func (m *Subject) GetNotGroups() []string

func (*Subject) GetNotIps 

func (m *Subject) GetNotIps() []string

func (*Subject) GetNotNamespaces 

func (m *Subject) GetNotNamespaces() []string

func (*Subject) GetNotPrincipals 

func (m *Subject) GetNotPrincipals() []string

func (*Subject) GetPrincipals 

func (m *Subject) GetPrincipals() []string

func (*Subject) GetProperties 

func (m *Subject) GetProperties() map[string]string

func (*Subject) GetUser 

func (m *Subject) GetUser() string

func (*Subject) Marshal 

func (m *Subject) Marshal() (dAtA []byte, err error)

func (*Subject) MarshalTo 

func (m *Subject) MarshalTo(dAtA []byte) (int, error)

func (*Subject) ProtoMessage 

func (*Subject) ProtoMessage()

func (*Subject) Reset 

func (m *Subject) Reset()

func (*Subject) Size 

func (m *Subject) Size() (n int)

func (*Subject) String 

func (m *Subject) String() string

func (*Subject) Unmarshal 

func (m *Subject) Unmarshal(dAtA []byte) error

type WorkloadSelector 

type WorkloadSelector struct {
	// One or more labels that indicate a specific set of pods/VMs on which
	// this sidecar configuration should be applied. The scope of label
	// search is restricted to the configuration namespace in which the the
	// resource is present.
	Labels map[string]string `` /* 146-byte string literal not displayed */
}

$hide_from_docs This is forked from the networking/v1alpha3/sidecar.proto to avoid a direct dependency from the rbac API on networking API. TODO: Move the WorkloadSelector to a common place to be shared by other packages. WorkloadSelector specifies the criteria used to determine if the Gateway or Sidecar resource can be applied to a proxy. The matching criteria includes the metadata associated with a proxy, workload info such as labels attached to the pod/VM, or any other info that the proxy provides to Istio during the initial handshake. If multiple conditions are specified, all conditions need to match in order for the workload to be selected. Currently, only label based selection mechanism is supported.

func (*WorkloadSelector) Descriptor 

func (*WorkloadSelector) Descriptor() ([]byte, []int)

func (*WorkloadSelector) GetLabels 

func (m *WorkloadSelector) GetLabels() map[string]string

func (*WorkloadSelector) Marshal 

func (m *WorkloadSelector) Marshal() (dAtA []byte, err error)

func (*WorkloadSelector) MarshalTo 

func (m *WorkloadSelector) MarshalTo(dAtA []byte) (int, error)

func (*WorkloadSelector) ProtoMessage 

func (*WorkloadSelector) ProtoMessage()

func (*WorkloadSelector) Reset 

func (m *WorkloadSelector) Reset()

func (*WorkloadSelector) Size 

func (m *WorkloadSelector) Size() (n int)

func (*WorkloadSelector) String 

func (m *WorkloadSelector) String() string

func (*WorkloadSelector) Unmarshal 

func (m *WorkloadSelector) Unmarshal(dAtA []byte) error

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.