Documentation ¶
Index ¶
- Variables
- type Permission
- func (*Permission) Descriptor() ([]byte, []int)deprecated
- func (x *Permission) GetAndRules() *Permission_Set
- func (x *Permission) GetAny() bool
- func (x *Permission) GetDestinationIp() *core.CidrRange
- func (x *Permission) GetDestinationPort() uint32
- func (x *Permission) GetHeader() *route.HeaderMatcher
- func (x *Permission) GetMetadata() *matcher.MetadataMatcher
- func (x *Permission) GetNotRule() *Permission
- func (x *Permission) GetOrRules() *Permission_Set
- func (x *Permission) GetRequestedServerName() *matcher.StringMatcher
- func (m *Permission) GetRule() isPermission_Rule
- func (x *Permission) GetUrlPath() *matcher.PathMatcher
- func (*Permission) ProtoMessage()
- func (x *Permission) ProtoReflect() protoreflect.Message
- func (x *Permission) Reset()
- func (x *Permission) String() string
- type Permission_AndRules
- type Permission_Any
- type Permission_DestinationIp
- type Permission_DestinationPort
- type Permission_Header
- type Permission_Metadata
- type Permission_NotRule
- type Permission_OrRules
- type Permission_RequestedServerName
- type Permission_Set
- type Permission_UrlPath
- type Policy
- func (*Policy) Descriptor() ([]byte, []int)deprecated
- func (x *Policy) GetCondition() *v1alpha1.Expr
- func (x *Policy) GetPermissions() []*Permission
- func (x *Policy) GetPrincipals() []*Principal
- func (*Policy) ProtoMessage()
- func (x *Policy) ProtoReflect() protoreflect.Message
- func (x *Policy) Reset()
- func (x *Policy) String() string
- type Principal
- func (*Principal) Descriptor() ([]byte, []int)deprecated
- func (x *Principal) GetAndIds() *Principal_Set
- func (x *Principal) GetAny() bool
- func (x *Principal) GetAuthenticated() *Principal_Authenticated
- func (x *Principal) GetDirectRemoteIp() *core.CidrRange
- func (x *Principal) GetHeader() *route.HeaderMatcher
- func (m *Principal) GetIdentifier() isPrincipal_Identifier
- func (x *Principal) GetMetadata() *matcher.MetadataMatcher
- func (x *Principal) GetNotId() *Principal
- func (x *Principal) GetOrIds() *Principal_Set
- func (x *Principal) GetRemoteIp() *core.CidrRange
- func (x *Principal) GetSourceIp() *core.CidrRangedeprecated
- func (x *Principal) GetUrlPath() *matcher.PathMatcher
- func (*Principal) ProtoMessage()
- func (x *Principal) ProtoReflect() protoreflect.Message
- func (x *Principal) Reset()
- func (x *Principal) String() string
- type Principal_AndIds
- type Principal_Any
- type Principal_Authenticated
- func (*Principal_Authenticated) Descriptor() ([]byte, []int)deprecated
- func (x *Principal_Authenticated) GetPrincipalName() *matcher.StringMatcher
- func (*Principal_Authenticated) ProtoMessage()
- func (x *Principal_Authenticated) ProtoReflect() protoreflect.Message
- func (x *Principal_Authenticated) Reset()
- func (x *Principal_Authenticated) String() string
- type Principal_Authenticated_
- type Principal_DirectRemoteIp
- type Principal_Header
- type Principal_Metadata
- type Principal_NotId
- type Principal_OrIds
- type Principal_RemoteIp
- type Principal_Set
- type Principal_SourceIp
- type Principal_UrlPath
- type RBAC
- type RBAC_Action
- func (RBAC_Action) Descriptor() protoreflect.EnumDescriptor
- func (x RBAC_Action) Enum() *RBAC_Action
- func (RBAC_Action) EnumDescriptor() ([]byte, []int)deprecated
- func (x RBAC_Action) Number() protoreflect.EnumNumber
- func (x RBAC_Action) String() string
- func (RBAC_Action) Type() protoreflect.EnumType
Constants ¶
This section is empty.
Variables ¶
var ( RBAC_Action_name = map[int32]string{ 0: "ALLOW", 1: "DENY", } RBAC_Action_value = map[string]int32{ "ALLOW": 0, "DENY": 1, } )
Enum value maps for RBAC_Action.
var File_envoy_config_rbac_v2_rbac_proto protoreflect.FileDescriptor
Functions ¶
This section is empty.
Types ¶
type Permission ¶
type Permission struct { // Types that are assignable to Rule: // // *Permission_AndRules // *Permission_OrRules // *Permission_Any // *Permission_Header // *Permission_UrlPath // *Permission_DestinationIp // *Permission_DestinationPort // *Permission_Metadata // *Permission_NotRule // *Permission_RequestedServerName Rule isPermission_Rule `protobuf_oneof:"rule"` // contains filtered or unexported fields }
Permission defines an action (or actions) that a principal can take. [#next-free-field: 11]
func (*Permission) Descriptor
deprecated
func (*Permission) Descriptor() ([]byte, []int)
Deprecated: Use Permission.ProtoReflect.Descriptor instead.
func (*Permission) GetAndRules ¶
func (x *Permission) GetAndRules() *Permission_Set
func (*Permission) GetAny ¶
func (x *Permission) GetAny() bool
func (*Permission) GetDestinationIp ¶
func (x *Permission) GetDestinationIp() *core.CidrRange
func (*Permission) GetDestinationPort ¶
func (x *Permission) GetDestinationPort() uint32
func (*Permission) GetHeader ¶
func (x *Permission) GetHeader() *route.HeaderMatcher
func (*Permission) GetMetadata ¶
func (x *Permission) GetMetadata() *matcher.MetadataMatcher
func (*Permission) GetNotRule ¶
func (x *Permission) GetNotRule() *Permission
func (*Permission) GetOrRules ¶
func (x *Permission) GetOrRules() *Permission_Set
func (*Permission) GetRequestedServerName ¶
func (x *Permission) GetRequestedServerName() *matcher.StringMatcher
func (*Permission) GetRule ¶
func (m *Permission) GetRule() isPermission_Rule
func (*Permission) GetUrlPath ¶
func (x *Permission) GetUrlPath() *matcher.PathMatcher
func (*Permission) ProtoMessage ¶
func (*Permission) ProtoMessage()
func (*Permission) ProtoReflect ¶
func (x *Permission) ProtoReflect() protoreflect.Message
func (*Permission) Reset ¶
func (x *Permission) Reset()
func (*Permission) String ¶
func (x *Permission) String() string
type Permission_AndRules ¶
type Permission_AndRules struct { // A set of rules that all must match in order to define the action. AndRules *Permission_Set `protobuf:"bytes,1,opt,name=and_rules,json=andRules,proto3,oneof"` }
type Permission_Any ¶
type Permission_Any struct { // When any is set, it matches any action. Any bool `protobuf:"varint,3,opt,name=any,proto3,oneof"` }
type Permission_DestinationPort ¶
type Permission_DestinationPort struct { // A port number that describes the destination port connecting to. DestinationPort uint32 `protobuf:"varint,6,opt,name=destination_port,json=destinationPort,proto3,oneof"` }
type Permission_Header ¶
type Permission_Header struct { // A header (or pseudo-header such as :path or :method) on the incoming HTTP request. Only // available for HTTP request. // Note: the pseudo-header :path includes the query and fragment string. Use the `url_path` // field if you want to match the URL path without the query and fragment string. Header *route.HeaderMatcher `protobuf:"bytes,4,opt,name=header,proto3,oneof"` }
type Permission_Metadata ¶
type Permission_Metadata struct { // Metadata that describes additional information about the action. Metadata *matcher.MetadataMatcher `protobuf:"bytes,7,opt,name=metadata,proto3,oneof"` }
type Permission_NotRule ¶
type Permission_NotRule struct { // Negates matching the provided permission. For instance, if the value of `not_rule` would // match, this permission would not match. Conversely, if the value of `not_rule` would not // match, this permission would match. NotRule *Permission `protobuf:"bytes,8,opt,name=not_rule,json=notRule,proto3,oneof"` }
type Permission_OrRules ¶
type Permission_OrRules struct { // A set of rules where at least one must match in order to define the action. OrRules *Permission_Set `protobuf:"bytes,2,opt,name=or_rules,json=orRules,proto3,oneof"` }
type Permission_RequestedServerName ¶
type Permission_RequestedServerName struct { // The request server from the client's connection request. This is // typically TLS SNI. // // .. attention:: // // The behavior of this field may be affected by how Envoy is configured // as explained below. // // * If the :ref:`TLS Inspector <config_listener_filters_tls_inspector>` // filter is not added, and if a `FilterChainMatch` is not defined for // the :ref:`server name <envoy_api_field_listener.FilterChainMatch.server_names>`, // a TLS connection's requested SNI server name will be treated as if it // wasn't present. // // * A :ref:`listener filter <arch_overview_listener_filters>` may // overwrite a connection's requested server name within Envoy. // // Please refer to :ref:`this FAQ entry <faq_how_to_setup_sni>` to learn to // setup SNI. RequestedServerName *matcher.StringMatcher `protobuf:"bytes,9,opt,name=requested_server_name,json=requestedServerName,proto3,oneof"` }
type Permission_Set ¶
type Permission_Set struct { Rules []*Permission `protobuf:"bytes,1,rep,name=rules,proto3" json:"rules,omitempty"` // contains filtered or unexported fields }
Used in the `and_rules` and `or_rules` fields in the `rule` oneof. Depending on the context, each are applied with the associated behavior.
func (*Permission_Set) Descriptor
deprecated
func (*Permission_Set) Descriptor() ([]byte, []int)
Deprecated: Use Permission_Set.ProtoReflect.Descriptor instead.
func (*Permission_Set) GetRules ¶
func (x *Permission_Set) GetRules() []*Permission
func (*Permission_Set) ProtoMessage ¶
func (*Permission_Set) ProtoMessage()
func (*Permission_Set) ProtoReflect ¶
func (x *Permission_Set) ProtoReflect() protoreflect.Message
func (*Permission_Set) Reset ¶
func (x *Permission_Set) Reset()
func (*Permission_Set) String ¶
func (x *Permission_Set) String() string
type Permission_UrlPath ¶
type Permission_UrlPath struct { // A URL path on the incoming HTTP request. Only available for HTTP. UrlPath *matcher.PathMatcher `protobuf:"bytes,10,opt,name=url_path,json=urlPath,proto3,oneof"` }
type Policy ¶
type Policy struct { // Required. The set of permissions that define a role. Each permission is matched with OR // semantics. To match all actions for this policy, a single Permission with the `any` field set // to true should be used. Permissions []*Permission `protobuf:"bytes,1,rep,name=permissions,proto3" json:"permissions,omitempty"` // Required. The set of principals that are assigned/denied the role based on “action”. Each // principal is matched with OR semantics. To match all downstreams for this policy, a single // Principal with the `any` field set to true should be used. Principals []*Principal `protobuf:"bytes,2,rep,name=principals,proto3" json:"principals,omitempty"` // An optional symbolic expression specifying an access control // :ref:`condition <arch_overview_condition>`. The condition is combined // with the permissions and the principals as a clause with AND semantics. Condition *v1alpha1.Expr `protobuf:"bytes,3,opt,name=condition,proto3" json:"condition,omitempty"` // contains filtered or unexported fields }
Policy specifies a role and the principals that are assigned/denied the role. A policy matches if and only if at least one of its permissions match the action taking place AND at least one of its principals match the downstream AND the condition is true if specified.
func (*Policy) Descriptor
deprecated
func (*Policy) GetCondition ¶
func (*Policy) GetPermissions ¶
func (x *Policy) GetPermissions() []*Permission
func (*Policy) GetPrincipals ¶
func (*Policy) ProtoMessage ¶
func (*Policy) ProtoMessage()
func (*Policy) ProtoReflect ¶
func (x *Policy) ProtoReflect() protoreflect.Message
type Principal ¶
type Principal struct { // Types that are assignable to Identifier: // // *Principal_AndIds // *Principal_OrIds // *Principal_Any // *Principal_Authenticated_ // *Principal_SourceIp // *Principal_DirectRemoteIp // *Principal_RemoteIp // *Principal_Header // *Principal_UrlPath // *Principal_Metadata // *Principal_NotId Identifier isPrincipal_Identifier `protobuf_oneof:"identifier"` // contains filtered or unexported fields }
Principal defines an identity or a group of identities for a downstream subject. [#next-free-field: 12]
func (*Principal) Descriptor
deprecated
func (*Principal) GetAndIds ¶
func (x *Principal) GetAndIds() *Principal_Set
func (*Principal) GetAuthenticated ¶
func (x *Principal) GetAuthenticated() *Principal_Authenticated
func (*Principal) GetDirectRemoteIp ¶
func (*Principal) GetHeader ¶
func (x *Principal) GetHeader() *route.HeaderMatcher
func (*Principal) GetIdentifier ¶
func (m *Principal) GetIdentifier() isPrincipal_Identifier
func (*Principal) GetMetadata ¶
func (x *Principal) GetMetadata() *matcher.MetadataMatcher
func (*Principal) GetOrIds ¶
func (x *Principal) GetOrIds() *Principal_Set
func (*Principal) GetRemoteIp ¶
func (*Principal) GetSourceIp
deprecated
func (*Principal) GetUrlPath ¶
func (x *Principal) GetUrlPath() *matcher.PathMatcher
func (*Principal) ProtoMessage ¶
func (*Principal) ProtoMessage()
func (*Principal) ProtoReflect ¶
func (x *Principal) ProtoReflect() protoreflect.Message
type Principal_AndIds ¶
type Principal_AndIds struct { // A set of identifiers that all must match in order to define the downstream. AndIds *Principal_Set `protobuf:"bytes,1,opt,name=and_ids,json=andIds,proto3,oneof"` }
type Principal_Any ¶
type Principal_Any struct { // When any is set, it matches any downstream. Any bool `protobuf:"varint,3,opt,name=any,proto3,oneof"` }
type Principal_Authenticated ¶
type Principal_Authenticated struct { // The name of the principal. If set, The URI SAN or DNS SAN in that order is used from the // certificate, otherwise the subject field is used. If unset, it applies to any user that is // authenticated. PrincipalName *matcher.StringMatcher `protobuf:"bytes,2,opt,name=principal_name,json=principalName,proto3" json:"principal_name,omitempty"` // contains filtered or unexported fields }
Authentication attributes for a downstream.
func (*Principal_Authenticated) Descriptor
deprecated
func (*Principal_Authenticated) Descriptor() ([]byte, []int)
Deprecated: Use Principal_Authenticated.ProtoReflect.Descriptor instead.
func (*Principal_Authenticated) GetPrincipalName ¶
func (x *Principal_Authenticated) GetPrincipalName() *matcher.StringMatcher
func (*Principal_Authenticated) ProtoMessage ¶
func (*Principal_Authenticated) ProtoMessage()
func (*Principal_Authenticated) ProtoReflect ¶
func (x *Principal_Authenticated) ProtoReflect() protoreflect.Message
func (*Principal_Authenticated) Reset ¶
func (x *Principal_Authenticated) Reset()
func (*Principal_Authenticated) String ¶
func (x *Principal_Authenticated) String() string
type Principal_Authenticated_ ¶
type Principal_Authenticated_ struct { // Authenticated attributes that identify the downstream. Authenticated *Principal_Authenticated `protobuf:"bytes,4,opt,name=authenticated,proto3,oneof"` }
type Principal_DirectRemoteIp ¶
type Principal_DirectRemoteIp struct { // A CIDR block that describes the downstream remote/origin address. // Note: This is always the physical peer even if the // :ref:`remote_ip <envoy_api_field_config.rbac.v2.Principal.remote_ip>` is inferred // from for example the x-forwarder-for header, proxy protocol, etc. DirectRemoteIp *core.CidrRange `protobuf:"bytes,10,opt,name=direct_remote_ip,json=directRemoteIp,proto3,oneof"` }
type Principal_Header ¶
type Principal_Header struct { // A header (or pseudo-header such as :path or :method) on the incoming HTTP request. Only // available for HTTP request. // Note: the pseudo-header :path includes the query and fragment string. Use the `url_path` // field if you want to match the URL path without the query and fragment string. Header *route.HeaderMatcher `protobuf:"bytes,6,opt,name=header,proto3,oneof"` }
type Principal_Metadata ¶
type Principal_Metadata struct { // Metadata that describes additional information about the principal. Metadata *matcher.MetadataMatcher `protobuf:"bytes,7,opt,name=metadata,proto3,oneof"` }
type Principal_NotId ¶
type Principal_NotId struct { // Negates matching the provided principal. For instance, if the value of `not_id` would match, // this principal would not match. Conversely, if the value of `not_id` would not match, this // principal would match. NotId *Principal `protobuf:"bytes,8,opt,name=not_id,json=notId,proto3,oneof"` }
type Principal_OrIds ¶
type Principal_OrIds struct { // A set of identifiers at least one must match in order to define the downstream. OrIds *Principal_Set `protobuf:"bytes,2,opt,name=or_ids,json=orIds,proto3,oneof"` }
type Principal_RemoteIp ¶
type Principal_RemoteIp struct { // A CIDR block that describes the downstream remote/origin address. // Note: This may not be the physical peer and could be different from the // :ref:`direct_remote_ip <envoy_api_field_config.rbac.v2.Principal.direct_remote_ip>`. // E.g, if the remote ip is inferred from for example the x-forwarder-for header, // proxy protocol, etc. RemoteIp *core.CidrRange `protobuf:"bytes,11,opt,name=remote_ip,json=remoteIp,proto3,oneof"` }
type Principal_Set ¶
type Principal_Set struct { Ids []*Principal `protobuf:"bytes,1,rep,name=ids,proto3" json:"ids,omitempty"` // contains filtered or unexported fields }
Used in the `and_ids` and `or_ids` fields in the `identifier` oneof. Depending on the context, each are applied with the associated behavior.
func (*Principal_Set) Descriptor
deprecated
func (*Principal_Set) Descriptor() ([]byte, []int)
Deprecated: Use Principal_Set.ProtoReflect.Descriptor instead.
func (*Principal_Set) GetIds ¶
func (x *Principal_Set) GetIds() []*Principal
func (*Principal_Set) ProtoMessage ¶
func (*Principal_Set) ProtoMessage()
func (*Principal_Set) ProtoReflect ¶
func (x *Principal_Set) ProtoReflect() protoreflect.Message
func (*Principal_Set) Reset ¶
func (x *Principal_Set) Reset()
func (*Principal_Set) String ¶
func (x *Principal_Set) String() string
type Principal_SourceIp ¶
type Principal_SourceIp struct { // A CIDR block that describes the downstream IP. // This address will honor proxy protocol, but will not honor XFF. // // Deprecated: Marked as deprecated in envoy/config/rbac/v2/rbac.proto. SourceIp *core.CidrRange `protobuf:"bytes,5,opt,name=source_ip,json=sourceIp,proto3,oneof"` }
type Principal_UrlPath ¶
type Principal_UrlPath struct { // A URL path on the incoming HTTP request. Only available for HTTP. UrlPath *matcher.PathMatcher `protobuf:"bytes,9,opt,name=url_path,json=urlPath,proto3,oneof"` }
type RBAC ¶
type RBAC struct { // The action to take if a policy matches. The request is allowed if and only if: // // - `action` is "ALLOWED" and at least one policy matches // - `action` is "DENY" and none of the policies match Action RBAC_Action `protobuf:"varint,1,opt,name=action,proto3,enum=envoy.config.rbac.v2.RBAC_Action" json:"action,omitempty"` // Maps from policy name to policy. A match occurs when at least one policy matches the request. Policies map[string]*Policy `` /* 157-byte string literal not displayed */ // contains filtered or unexported fields }
Role Based Access Control (RBAC) provides service-level and method-level access control for a service. RBAC policies are additive. The policies are examined in order. A request is allowed once a matching policy is found (suppose the `action` is ALLOW).
Here is an example of RBAC configuration. It has two policies:
Service account "cluster.local/ns/default/sa/admin" has full access to the service, and so does "cluster.local/ns/default/sa/superuser".
Any user can read ("GET") the service at paths with prefix "/products", so long as the destination port is either 80 or 443.
.. code-block:: yaml
action: ALLOW policies: "service-admin": permissions:
any: true principals:
authenticated: principal_name: exact: "cluster.local/ns/default/sa/admin"
authenticated: principal_name: exact: "cluster.local/ns/default/sa/superuser" "product-viewer": permissions:
and_rules: rules:
header: { name: ":method", exact_match: "GET" }
url_path: path: { prefix: "/products" }
or_rules: rules:
destination_port: 80
destination_port: 443 principals:
any: true
func (*RBAC) Descriptor
deprecated
func (*RBAC) GetAction ¶
func (x *RBAC) GetAction() RBAC_Action
func (*RBAC) GetPolicies ¶
func (*RBAC) ProtoMessage ¶
func (*RBAC) ProtoMessage()
func (*RBAC) ProtoReflect ¶
func (x *RBAC) ProtoReflect() protoreflect.Message
type RBAC_Action ¶
type RBAC_Action int32
Should we do safe-list or block-list style access control?
const ( // The policies grant access to principals. The rest is denied. This is safe-list style // access control. This is the default type. RBAC_ALLOW RBAC_Action = 0 // The policies deny access to principals. The rest is allowed. This is block-list style // access control. RBAC_DENY RBAC_Action = 1 )
func (RBAC_Action) Descriptor ¶
func (RBAC_Action) Descriptor() protoreflect.EnumDescriptor
func (RBAC_Action) Enum ¶
func (x RBAC_Action) Enum() *RBAC_Action
func (RBAC_Action) EnumDescriptor
deprecated
func (RBAC_Action) EnumDescriptor() ([]byte, []int)
Deprecated: Use RBAC_Action.Descriptor instead.
func (RBAC_Action) Number ¶
func (x RBAC_Action) Number() protoreflect.EnumNumber
func (RBAC_Action) String ¶
func (x RBAC_Action) String() string
func (RBAC_Action) Type ¶
func (RBAC_Action) Type() protoreflect.EnumType