Documentation ¶
Index ¶
- Variables
- type AccessRule
- func (*AccessRule) Descriptor() ([]byte, []int)
- func (this *AccessRule) Equal(that interface{}) bool
- func (m *AccessRule) GetConstraints() []*AccessRule_Constraint
- func (m *AccessRule) GetMethods() []string
- func (m *AccessRule) GetPaths() []string
- func (m *AccessRule) GetServices() []string
- func (*AccessRule) ProtoMessage()
- func (m *AccessRule) Reset()
- func (m *AccessRule) String() string
- func (m *AccessRule) XXX_DiscardUnknown()
- func (m *AccessRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *AccessRule) XXX_Merge(src proto.Message)
- func (m *AccessRule) XXX_Size() int
- func (m *AccessRule) XXX_Unmarshal(b []byte) error
- type AccessRule_Constraint
- func (*AccessRule_Constraint) Descriptor() ([]byte, []int)
- func (this *AccessRule_Constraint) Equal(that interface{}) bool
- func (m *AccessRule_Constraint) GetKey() string
- func (m *AccessRule_Constraint) GetValues() []string
- func (*AccessRule_Constraint) ProtoMessage()
- func (m *AccessRule_Constraint) Reset()
- func (m *AccessRule_Constraint) String() string
- func (m *AccessRule_Constraint) XXX_DiscardUnknown()
- func (m *AccessRule_Constraint) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *AccessRule_Constraint) XXX_Merge(src proto.Message)
- func (m *AccessRule_Constraint) XXX_Size() int
- func (m *AccessRule_Constraint) XXX_Unmarshal(b []byte) error
- type EnforcementMode
- type RbacConfig
- func (o *RbacConfig) DeepCopyObject() runtime.Object
- func (*RbacConfig) Descriptor() ([]byte, []int)
- func (this *RbacConfig) Equal(that interface{}) bool
- func (m *RbacConfig) GetEnforcementMode() EnforcementMode
- func (m *RbacConfig) GetExclusion() *RbacConfig_Target
- func (m *RbacConfig) GetInclusion() *RbacConfig_Target
- func (m *RbacConfig) GetMetadata() core.Metadata
- func (m *RbacConfig) GetMode() RbacConfig_Mode
- func (o *RbacConfig) GetObjectKind() schema.ObjectKind
- func (m *RbacConfig) GetStatus() core.Status
- func (r *RbacConfig) Hash() uint64
- func (*RbacConfig) ProtoMessage()
- func (m *RbacConfig) Reset()
- func (r *RbacConfig) SetMetadata(meta core.Metadata)
- func (r *RbacConfig) SetStatus(status core.Status)
- func (m *RbacConfig) String() string
- func (m *RbacConfig) XXX_DiscardUnknown()
- func (m *RbacConfig) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *RbacConfig) XXX_Merge(src proto.Message)
- func (m *RbacConfig) XXX_Size() int
- func (m *RbacConfig) XXX_Unmarshal(b []byte) error
- type RbacConfigClient
- type RbacConfigList
- func (list RbacConfigList) AsInputResources() resources.InputResourceList
- func (list RbacConfigList) AsInterfaces() []interface{}
- func (list RbacConfigList) AsResources() resources.ResourceList
- func (list RbacConfigList) Clone() RbacConfigList
- func (list RbacConfigList) Each(f func(element *RbacConfig))
- func (list RbacConfigList) EachResource(f func(element resources.Resource))
- func (list RbacConfigList) Find(namespace, name string) (*RbacConfig, error)
- func (list RbacConfigList) Names() []string
- func (list RbacConfigList) NamespacesDotNames() []string
- func (list RbacConfigList) Sort() RbacConfigList
- type RbacConfigReconciler
- type RbacConfigWatcher
- type RbacConfig_Mode
- type RbacConfig_Target
- func (*RbacConfig_Target) Descriptor() ([]byte, []int)
- func (this *RbacConfig_Target) Equal(that interface{}) bool
- func (m *RbacConfig_Target) GetNamespaces() []string
- func (m *RbacConfig_Target) GetServices() []string
- func (*RbacConfig_Target) ProtoMessage()
- func (m *RbacConfig_Target) Reset()
- func (m *RbacConfig_Target) String() string
- func (m *RbacConfig_Target) XXX_DiscardUnknown()
- func (m *RbacConfig_Target) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *RbacConfig_Target) XXX_Merge(src proto.Message)
- func (m *RbacConfig_Target) XXX_Size() int
- func (m *RbacConfig_Target) XXX_Unmarshal(b []byte) error
- type RoleRef
- func (*RoleRef) Descriptor() ([]byte, []int)
- func (this *RoleRef) Equal(that interface{}) bool
- func (m *RoleRef) GetKind() string
- func (m *RoleRef) GetName() string
- func (*RoleRef) ProtoMessage()
- func (m *RoleRef) Reset()
- func (m *RoleRef) String() string
- func (m *RoleRef) XXX_DiscardUnknown()
- func (m *RoleRef) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *RoleRef) XXX_Merge(src proto.Message)
- func (m *RoleRef) XXX_Size() int
- func (m *RoleRef) XXX_Unmarshal(b []byte) error
- type ServiceRole
- func (o *ServiceRole) DeepCopyObject() runtime.Object
- func (*ServiceRole) Descriptor() ([]byte, []int)
- func (this *ServiceRole) Equal(that interface{}) bool
- func (m *ServiceRole) GetMetadata() core.Metadata
- func (o *ServiceRole) GetObjectKind() schema.ObjectKind
- func (m *ServiceRole) GetRules() []*AccessRule
- func (m *ServiceRole) GetStatus() core.Status
- func (r *ServiceRole) Hash() uint64
- func (*ServiceRole) ProtoMessage()
- func (m *ServiceRole) Reset()
- func (r *ServiceRole) SetMetadata(meta core.Metadata)
- func (r *ServiceRole) SetStatus(status core.Status)
- func (m *ServiceRole) String() string
- func (m *ServiceRole) XXX_DiscardUnknown()
- func (m *ServiceRole) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *ServiceRole) XXX_Merge(src proto.Message)
- func (m *ServiceRole) XXX_Size() int
- func (m *ServiceRole) XXX_Unmarshal(b []byte) error
- type ServiceRoleBinding
- func (o *ServiceRoleBinding) DeepCopyObject() runtime.Object
- func (*ServiceRoleBinding) Descriptor() ([]byte, []int)
- func (this *ServiceRoleBinding) Equal(that interface{}) bool
- func (m *ServiceRoleBinding) GetMetadata() core.Metadata
- func (m *ServiceRoleBinding) GetMode() EnforcementMode
- func (o *ServiceRoleBinding) GetObjectKind() schema.ObjectKind
- func (m *ServiceRoleBinding) GetRoleRef() *RoleRef
- func (m *ServiceRoleBinding) GetStatus() core.Status
- func (m *ServiceRoleBinding) GetSubjects() []*Subject
- func (r *ServiceRoleBinding) Hash() uint64
- func (*ServiceRoleBinding) ProtoMessage()
- func (m *ServiceRoleBinding) Reset()
- func (r *ServiceRoleBinding) SetMetadata(meta core.Metadata)
- func (r *ServiceRoleBinding) SetStatus(status core.Status)
- func (m *ServiceRoleBinding) String() string
- func (m *ServiceRoleBinding) XXX_DiscardUnknown()
- func (m *ServiceRoleBinding) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *ServiceRoleBinding) XXX_Merge(src proto.Message)
- func (m *ServiceRoleBinding) XXX_Size() int
- func (m *ServiceRoleBinding) XXX_Unmarshal(b []byte) error
- type ServiceRoleBindingClient
- func NewServiceRoleBindingClient(rcFactory factory.ResourceClientFactory) (ServiceRoleBindingClient, error)
- func NewServiceRoleBindingClientWithBase(rc clients.ResourceClient) ServiceRoleBindingClient
- func NewServiceRoleBindingClientWithToken(rcFactory factory.ResourceClientFactory, token string) (ServiceRoleBindingClient, error)
- type ServiceRoleBindingList
- func (list ServiceRoleBindingList) AsInputResources() resources.InputResourceList
- func (list ServiceRoleBindingList) AsInterfaces() []interface{}
- func (list ServiceRoleBindingList) AsResources() resources.ResourceList
- func (list ServiceRoleBindingList) Clone() ServiceRoleBindingList
- func (list ServiceRoleBindingList) Each(f func(element *ServiceRoleBinding))
- func (list ServiceRoleBindingList) EachResource(f func(element resources.Resource))
- func (list ServiceRoleBindingList) Find(namespace, name string) (*ServiceRoleBinding, error)
- func (list ServiceRoleBindingList) Names() []string
- func (list ServiceRoleBindingList) NamespacesDotNames() []string
- func (list ServiceRoleBindingList) Sort() ServiceRoleBindingList
- type ServiceRoleBindingReconciler
- type ServiceRoleBindingWatcher
- type ServiceRoleClient
- type ServiceRoleList
- func (list ServiceRoleList) AsInputResources() resources.InputResourceList
- func (list ServiceRoleList) AsInterfaces() []interface{}
- func (list ServiceRoleList) AsResources() resources.ResourceList
- func (list ServiceRoleList) Clone() ServiceRoleList
- func (list ServiceRoleList) Each(f func(element *ServiceRole))
- func (list ServiceRoleList) EachResource(f func(element resources.Resource))
- func (list ServiceRoleList) Find(namespace, name string) (*ServiceRole, error)
- func (list ServiceRoleList) Names() []string
- func (list ServiceRoleList) NamespacesDotNames() []string
- func (list ServiceRoleList) Sort() ServiceRoleList
- type ServiceRoleReconciler
- type ServiceRoleWatcher
- type Subject
- func (*Subject) Descriptor() ([]byte, []int)
- func (this *Subject) Equal(that interface{}) bool
- func (m *Subject) GetGroup() string
- func (m *Subject) GetProperties() map[string]string
- func (m *Subject) GetUser() string
- func (*Subject) ProtoMessage()
- func (m *Subject) Reset()
- func (m *Subject) String() string
- func (m *Subject) XXX_DiscardUnknown()
- func (m *Subject) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *Subject) XXX_Merge(src proto.Message)
- func (m *Subject) XXX_Size() int
- func (m *Subject) XXX_Unmarshal(b []byte) error
- type TransitionRbacConfigFunc
- type TransitionServiceRoleBindingFunc
- type TransitionServiceRoleFunc
Constants ¶
This section is empty.
Variables ¶
var EnforcementMode_name = map[int32]string{
0: "ENFORCED",
1: "PERMISSIVE",
}
var EnforcementMode_value = map[string]int32{
"ENFORCED": 0,
"PERMISSIVE": 1,
}
var RbacConfigCrd = crd.NewCrd("rbac.istio.io", "rbacconfigs", "rbac.istio.io", "v1alpha1", "RbacConfig", "rbacconfig", false, &RbacConfig{})
var RbacConfig_Mode_name = map[int32]string{
0: "OFF",
1: "ON",
2: "ON_WITH_INCLUSION",
3: "ON_WITH_EXCLUSION",
}
var RbacConfig_Mode_value = map[string]int32{
"OFF": 0,
"ON": 1,
"ON_WITH_INCLUSION": 2,
"ON_WITH_EXCLUSION": 3,
}
var ServiceRoleBindingCrd = crd.NewCrd("rbac.istio.io", "servicerolebindings", "rbac.istio.io", "v1alpha1", "ServiceRoleBinding", "servicerolebinding", false, &ServiceRoleBinding{})
var ServiceRoleCrd = crd.NewCrd("rbac.istio.io", "serviceroles", "rbac.istio.io", "v1alpha1", "ServiceRole", "servicerole", false, &ServiceRole{})
Functions ¶
This section is empty.
Types ¶
type AccessRule ¶
type AccessRule struct { // Required. A list of service names. // Exact match, prefix match, and suffix match are supported for service names. // For example, the service name "bookstore.mtv.cluster.local" matches // "bookstore.mtv.cluster.local" (exact match), or "bookstore*" (prefix match), // or "*.mtv.cluster.local" (suffix match). // If set to ["*"], it refers to all services in the namespace. Services []string `protobuf:"bytes,1,rep,name=services,proto3" json:"services,omitempty"` // Optional. A list of HTTP paths or gRPC methods. // gRPC methods must be presented as fully-qualified name in the form of // "/packageName.serviceName/methodName" and are case sensitive. // Exact match, prefix match, and suffix match are supported for paths. // For example, the path "/books/review" matches // "/books/review" (exact match), or "/books/*" (prefix match), // or "*/review" (suffix match). // If not specified, it applies to any path. Paths []string `protobuf:"bytes,2,rep,name=paths,proto3" json:"paths,omitempty"` // Optional. A list of HTTP methods (e.g., "GET", "POST"). // It is ignored in gRPC case because the value is always "POST". // If set to ["*"] or not specified, it applies to any method. Methods []string `protobuf:"bytes,3,rep,name=methods,proto3" json:"methods,omitempty"` // Optional. Extra constraints in the ServiceRole specification. // The above ServiceRole example shows an example of constraint "version". Constraints []*AccessRule_Constraint `protobuf:"bytes,4,rep,name=constraints,proto3" json:"constraints,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
AccessRule defines a permission to access a list of services.
func (*AccessRule) Descriptor ¶
func (*AccessRule) Descriptor() ([]byte, []int)
func (*AccessRule) Equal ¶
func (this *AccessRule) Equal(that interface{}) bool
func (*AccessRule) GetConstraints ¶
func (m *AccessRule) GetConstraints() []*AccessRule_Constraint
func (*AccessRule) GetMethods ¶
func (m *AccessRule) GetMethods() []string
func (*AccessRule) GetPaths ¶
func (m *AccessRule) GetPaths() []string
func (*AccessRule) GetServices ¶
func (m *AccessRule) GetServices() []string
func (*AccessRule) ProtoMessage ¶
func (*AccessRule) ProtoMessage()
func (*AccessRule) Reset ¶
func (m *AccessRule) Reset()
func (*AccessRule) String ¶
func (m *AccessRule) String() string
func (*AccessRule) XXX_DiscardUnknown ¶
func (m *AccessRule) XXX_DiscardUnknown()
func (*AccessRule) XXX_Marshal ¶
func (m *AccessRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*AccessRule) XXX_Merge ¶
func (m *AccessRule) XXX_Merge(src proto.Message)
func (*AccessRule) XXX_Size ¶
func (m *AccessRule) XXX_Size() int
func (*AccessRule) XXX_Unmarshal ¶
func (m *AccessRule) XXX_Unmarshal(b []byte) error
type AccessRule_Constraint ¶
type AccessRule_Constraint struct { // Key of the constraint. Key string `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"` // List of valid values for the constraint. // Exact match, prefix match, and suffix match are supported for constraint values. // For example, the value "v1alpha2" matches // "v1alpha2" (exact match), or "v1*" (prefix match), // or "*alpha2" (suffix match). Values []string `protobuf:"bytes,2,rep,name=values,proto3" json:"values,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
Definition of a custom constraint. The supported keys are listed in the "constraint and properties" page.
func (*AccessRule_Constraint) Descriptor ¶
func (*AccessRule_Constraint) Descriptor() ([]byte, []int)
func (*AccessRule_Constraint) Equal ¶
func (this *AccessRule_Constraint) Equal(that interface{}) bool
func (*AccessRule_Constraint) GetKey ¶
func (m *AccessRule_Constraint) GetKey() string
func (*AccessRule_Constraint) GetValues ¶
func (m *AccessRule_Constraint) GetValues() []string
func (*AccessRule_Constraint) ProtoMessage ¶
func (*AccessRule_Constraint) ProtoMessage()
func (*AccessRule_Constraint) Reset ¶
func (m *AccessRule_Constraint) Reset()
func (*AccessRule_Constraint) String ¶
func (m *AccessRule_Constraint) String() string
func (*AccessRule_Constraint) XXX_DiscardUnknown ¶
func (m *AccessRule_Constraint) XXX_DiscardUnknown()
func (*AccessRule_Constraint) XXX_Marshal ¶
func (m *AccessRule_Constraint) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*AccessRule_Constraint) XXX_Merge ¶
func (m *AccessRule_Constraint) XXX_Merge(src proto.Message)
func (*AccessRule_Constraint) XXX_Size ¶
func (m *AccessRule_Constraint) XXX_Size() int
func (*AccessRule_Constraint) XXX_Unmarshal ¶
func (m *AccessRule_Constraint) XXX_Unmarshal(b []byte) error
type EnforcementMode ¶
type EnforcementMode int32
$hide_from_docs RBAC ServiceRoleBinding enforcement mode, used to verify new ServiceRoleBinding configs work as expected before rolling to production. RBAC engine only logs results from configs that are in permissive mode, and discards result before returning to the user.
const ( // Policy in ENFORCED mode has impact on user experience. // Policy is in ENFORCED mode by default. EnforcementMode_ENFORCED EnforcementMode = 0 // Policy in PERMISSIVE mode isn't enforced and has no impact on users. // RBAC engine run policies in PERMISSIVE mode and logs stats. EnforcementMode_PERMISSIVE EnforcementMode = 1 )
func (EnforcementMode) EnumDescriptor ¶
func (EnforcementMode) EnumDescriptor() ([]byte, []int)
func (EnforcementMode) String ¶
func (x EnforcementMode) String() string
type RbacConfig ¶
type RbacConfig struct { // Status indicates the validation status of this resource. // Status is read-only by clients, and set by supergloo during validation Status core.Status `protobuf:"bytes,100,opt,name=status,proto3" json:"status" testdiff:"ignore"` // Metadata contains the object metadata for this resource Metadata core.Metadata `protobuf:"bytes,101,opt,name=metadata,proto3" json:"metadata"` // Istio RBAC mode. Mode RbacConfig_Mode `protobuf:"varint,1,opt,name=mode,proto3,enum=istio.rbac.v1alpha1.RbacConfig_Mode" json:"mode,omitempty"` // A list of services or namespaces that should be enforced by Istio RBAC policies. Note: This field have // effect only when mode is ON_WITH_INCLUSION and will be ignored for any other modes. Inclusion *RbacConfig_Target `protobuf:"bytes,2,opt,name=inclusion,proto3" json:"inclusion,omitempty"` // A list of services or namespaces that should not be enforced by Istio RBAC policies. Note: This field have // effect only when mode is ON_WITH_EXCLUSION and will be ignored for any other modes. Exclusion *RbacConfig_Target `protobuf:"bytes,3,opt,name=exclusion,proto3" json:"exclusion,omitempty"` // $hide_from_docs // Indicates enforcement mode of the RbacConfig, in ENFORCED mode by default. // It's used to verify new RbacConfig work as expected before rolling to production. // When setting as PERMISSIVE, RBAC isn't enforced and has no impact on users. // RBAC engine run RbacConfig in PERMISSIVE mode and logs stats. // Invalid to set RbacConfig in PERMISSIVE and ServiceRoleBinding in ENFORCED mode. EnforcementMode EnforcementMode `` /* 148-byte string literal not displayed */ XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
RbacConfig defines the global config to control Istio RBAC behavior. This Custom Resource is a singleton where only one Custom Resource should be created globally in the mesh and the namespace should be the same to other Istio components, which usually is istio-system. Note: This is enforced in both istioctl and server side, new Custom Resource will be rejected if found any existing one, the user should either delete the existing one or change the existing one directly.
Below is an example of RbacConfig object "istio-rbac-config" which enables Istio RBAC for all services in the default namespace.
```yaml apiVersion: "rbac.istio.io/v1alpha1" kind: RbacConfig metadata:
name: default namespace: istio-system
spec:
mode: ON_WITH_INCLUSION inclusion: namespaces: [ "default" ]
```
func NewRbacConfig ¶
func NewRbacConfig(namespace, name string) *RbacConfig
func (*RbacConfig) DeepCopyObject ¶
func (o *RbacConfig) DeepCopyObject() runtime.Object
func (*RbacConfig) Descriptor ¶
func (*RbacConfig) Descriptor() ([]byte, []int)
func (*RbacConfig) Equal ¶
func (this *RbacConfig) Equal(that interface{}) bool
func (*RbacConfig) GetEnforcementMode ¶
func (m *RbacConfig) GetEnforcementMode() EnforcementMode
func (*RbacConfig) GetExclusion ¶
func (m *RbacConfig) GetExclusion() *RbacConfig_Target
func (*RbacConfig) GetInclusion ¶
func (m *RbacConfig) GetInclusion() *RbacConfig_Target
func (*RbacConfig) GetMetadata ¶
func (m *RbacConfig) GetMetadata() core.Metadata
func (*RbacConfig) GetMode ¶
func (m *RbacConfig) GetMode() RbacConfig_Mode
func (*RbacConfig) GetObjectKind ¶
func (o *RbacConfig) GetObjectKind() schema.ObjectKind
func (*RbacConfig) GetStatus ¶
func (m *RbacConfig) GetStatus() core.Status
func (*RbacConfig) Hash ¶
func (r *RbacConfig) Hash() uint64
func (*RbacConfig) ProtoMessage ¶
func (*RbacConfig) ProtoMessage()
func (*RbacConfig) Reset ¶
func (m *RbacConfig) Reset()
func (*RbacConfig) SetMetadata ¶
func (r *RbacConfig) SetMetadata(meta core.Metadata)
func (*RbacConfig) SetStatus ¶
func (r *RbacConfig) SetStatus(status core.Status)
func (*RbacConfig) String ¶
func (m *RbacConfig) String() string
func (*RbacConfig) XXX_DiscardUnknown ¶
func (m *RbacConfig) XXX_DiscardUnknown()
func (*RbacConfig) XXX_Marshal ¶
func (m *RbacConfig) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*RbacConfig) XXX_Merge ¶
func (m *RbacConfig) XXX_Merge(src proto.Message)
func (*RbacConfig) XXX_Size ¶
func (m *RbacConfig) XXX_Size() int
func (*RbacConfig) XXX_Unmarshal ¶
func (m *RbacConfig) XXX_Unmarshal(b []byte) error
type RbacConfigClient ¶
type RbacConfigClient interface { BaseClient() clients.ResourceClient Register() error Read(namespace, name string, opts clients.ReadOpts) (*RbacConfig, error) Write(resource *RbacConfig, opts clients.WriteOpts) (*RbacConfig, error) Delete(namespace, name string, opts clients.DeleteOpts) error List(namespace string, opts clients.ListOpts) (RbacConfigList, error) RbacConfigWatcher }
func NewRbacConfigClient ¶
func NewRbacConfigClient(rcFactory factory.ResourceClientFactory) (RbacConfigClient, error)
func NewRbacConfigClientWithBase ¶
func NewRbacConfigClientWithBase(rc clients.ResourceClient) RbacConfigClient
func NewRbacConfigClientWithToken ¶
func NewRbacConfigClientWithToken(rcFactory factory.ResourceClientFactory, token string) (RbacConfigClient, error)
type RbacConfigList ¶
type RbacConfigList []*RbacConfig
func (RbacConfigList) AsInputResources ¶
func (list RbacConfigList) AsInputResources() resources.InputResourceList
func (RbacConfigList) AsInterfaces ¶
func (list RbacConfigList) AsInterfaces() []interface{}
func (RbacConfigList) AsResources ¶
func (list RbacConfigList) AsResources() resources.ResourceList
func (RbacConfigList) Clone ¶
func (list RbacConfigList) Clone() RbacConfigList
func (RbacConfigList) Each ¶
func (list RbacConfigList) Each(f func(element *RbacConfig))
func (RbacConfigList) EachResource ¶ added in v0.3.18
func (list RbacConfigList) EachResource(f func(element resources.Resource))
func (RbacConfigList) Find ¶
func (list RbacConfigList) Find(namespace, name string) (*RbacConfig, error)
namespace is optional, if left empty, names can collide if the list contains more than one with the same name
func (RbacConfigList) Names ¶
func (list RbacConfigList) Names() []string
func (RbacConfigList) NamespacesDotNames ¶
func (list RbacConfigList) NamespacesDotNames() []string
func (RbacConfigList) Sort ¶
func (list RbacConfigList) Sort() RbacConfigList
type RbacConfigReconciler ¶
type RbacConfigReconciler interface {
Reconcile(namespace string, desiredResources RbacConfigList, transition TransitionRbacConfigFunc, opts clients.ListOpts) error
}
func NewRbacConfigReconciler ¶
func NewRbacConfigReconciler(client RbacConfigClient) RbacConfigReconciler
type RbacConfigWatcher ¶ added in v0.3.18
type RbacConfig_Mode ¶
type RbacConfig_Mode int32
const ( // Disable Istio RBAC completely, any other config in RbacConfig will be ignored and Istio RBAC policies // will not be enforced. RbacConfig_OFF RbacConfig_Mode = 0 // Enable Istio RBAC for all services and namespaces. RbacConfig_ON RbacConfig_Mode = 1 // Enable Istio RBAC only for services and namespaces specified in the inclusion field. Any other // services and namespaces not in the inclusion field will not be enforced by Istio RBAC policies. RbacConfig_ON_WITH_INCLUSION RbacConfig_Mode = 2 // Enable Istio RBAC for all services and namespaces except those specified in the exclusion field. Any other // services and namespaces not in the exclusion field will be enforced by Istio RBAC policies. RbacConfig_ON_WITH_EXCLUSION RbacConfig_Mode = 3 )
func (RbacConfig_Mode) EnumDescriptor ¶
func (RbacConfig_Mode) EnumDescriptor() ([]byte, []int)
func (RbacConfig_Mode) String ¶
func (x RbacConfig_Mode) String() string
type RbacConfig_Target ¶
type RbacConfig_Target struct { // A list of services. Services []string `protobuf:"bytes,1,rep,name=services,proto3" json:"services,omitempty"` // A list of namespaces. Namespaces []string `protobuf:"bytes,2,rep,name=namespaces,proto3" json:"namespaces,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
Target defines a list of services or namespaces.
func (*RbacConfig_Target) Descriptor ¶
func (*RbacConfig_Target) Descriptor() ([]byte, []int)
func (*RbacConfig_Target) Equal ¶
func (this *RbacConfig_Target) Equal(that interface{}) bool
func (*RbacConfig_Target) GetNamespaces ¶
func (m *RbacConfig_Target) GetNamespaces() []string
func (*RbacConfig_Target) GetServices ¶
func (m *RbacConfig_Target) GetServices() []string
func (*RbacConfig_Target) ProtoMessage ¶
func (*RbacConfig_Target) ProtoMessage()
func (*RbacConfig_Target) Reset ¶
func (m *RbacConfig_Target) Reset()
func (*RbacConfig_Target) String ¶
func (m *RbacConfig_Target) String() string
func (*RbacConfig_Target) XXX_DiscardUnknown ¶
func (m *RbacConfig_Target) XXX_DiscardUnknown()
func (*RbacConfig_Target) XXX_Marshal ¶
func (m *RbacConfig_Target) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*RbacConfig_Target) XXX_Merge ¶
func (m *RbacConfig_Target) XXX_Merge(src proto.Message)
func (*RbacConfig_Target) XXX_Size ¶
func (m *RbacConfig_Target) XXX_Size() int
func (*RbacConfig_Target) XXX_Unmarshal ¶
func (m *RbacConfig_Target) XXX_Unmarshal(b []byte) error
type RoleRef ¶
type RoleRef struct { // Required. The type of the role being referenced. // Currently, "ServiceRole" is the only supported value for "kind". Kind string `protobuf:"bytes,1,opt,name=kind,proto3" json:"kind,omitempty"` // Required. The name of the ServiceRole object being referenced. // The ServiceRole object must be in the same namespace as the ServiceRoleBinding // object. Name string `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
RoleRef refers to a role object.
func (*RoleRef) Descriptor ¶
func (*RoleRef) ProtoMessage ¶
func (*RoleRef) ProtoMessage()
func (*RoleRef) XXX_DiscardUnknown ¶
func (m *RoleRef) XXX_DiscardUnknown()
func (*RoleRef) XXX_Marshal ¶
func (*RoleRef) XXX_Unmarshal ¶
type ServiceRole ¶
type ServiceRole struct { // Status indicates the validation status of this resource. // Status is read-only by clients, and set by supergloo during validation Status core.Status `protobuf:"bytes,100,opt,name=status,proto3" json:"status" testdiff:"ignore"` // Metadata contains the object metadata for this resource Metadata core.Metadata `protobuf:"bytes,101,opt,name=metadata,proto3" json:"metadata"` // Required. The set of access rules (permissions) that the role has. Rules []*AccessRule `protobuf:"bytes,1,rep,name=rules,proto3" json:"rules,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
ServiceRole specification contains a list of access rules (permissions). This represent the "Spec" part of the ServiceRole object. The name and namespace of the ServiceRole is specified in "metadata" section of the ServiceRole object.
func NewServiceRole ¶
func NewServiceRole(namespace, name string) *ServiceRole
func (*ServiceRole) DeepCopyObject ¶
func (o *ServiceRole) DeepCopyObject() runtime.Object
func (*ServiceRole) Descriptor ¶
func (*ServiceRole) Descriptor() ([]byte, []int)
func (*ServiceRole) Equal ¶
func (this *ServiceRole) Equal(that interface{}) bool
func (*ServiceRole) GetMetadata ¶
func (m *ServiceRole) GetMetadata() core.Metadata
func (*ServiceRole) GetObjectKind ¶
func (o *ServiceRole) GetObjectKind() schema.ObjectKind
func (*ServiceRole) GetRules ¶
func (m *ServiceRole) GetRules() []*AccessRule
func (*ServiceRole) GetStatus ¶
func (m *ServiceRole) GetStatus() core.Status
func (*ServiceRole) Hash ¶
func (r *ServiceRole) Hash() uint64
func (*ServiceRole) ProtoMessage ¶
func (*ServiceRole) ProtoMessage()
func (*ServiceRole) Reset ¶
func (m *ServiceRole) Reset()
func (*ServiceRole) SetMetadata ¶
func (r *ServiceRole) SetMetadata(meta core.Metadata)
func (*ServiceRole) SetStatus ¶
func (r *ServiceRole) SetStatus(status core.Status)
func (*ServiceRole) String ¶
func (m *ServiceRole) String() string
func (*ServiceRole) XXX_DiscardUnknown ¶
func (m *ServiceRole) XXX_DiscardUnknown()
func (*ServiceRole) XXX_Marshal ¶
func (m *ServiceRole) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*ServiceRole) XXX_Merge ¶
func (m *ServiceRole) XXX_Merge(src proto.Message)
func (*ServiceRole) XXX_Size ¶
func (m *ServiceRole) XXX_Size() int
func (*ServiceRole) XXX_Unmarshal ¶
func (m *ServiceRole) XXX_Unmarshal(b []byte) error
type ServiceRoleBinding ¶
type ServiceRoleBinding struct { // Status indicates the validation status of this resource. // Status is read-only by clients, and set by supergloo during validation Status core.Status `protobuf:"bytes,100,opt,name=status,proto3" json:"status" testdiff:"ignore"` // Metadata contains the object metadata for this resource Metadata core.Metadata `protobuf:"bytes,101,opt,name=metadata,proto3" json:"metadata"` // Required. List of subjects that are assigned the ServiceRole object. Subjects []*Subject `protobuf:"bytes,1,rep,name=subjects,proto3" json:"subjects,omitempty"` // Required. Reference to the ServiceRole object. RoleRef *RoleRef `protobuf:"bytes,2,opt,name=roleRef,proto3" json:"roleRef,omitempty"` // $hide_from_docs // Indicates enforcement mode of the ServiceRoleBinding. Mode EnforcementMode `protobuf:"varint,3,opt,name=mode,proto3,enum=istio.rbac.v1alpha1.EnforcementMode" json:"mode,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
ServiceRoleBinding assigns a ServiceRole to a list of subjects. This represents the "Spec" part of the ServiceRoleBinding object. The name and namespace of the ServiceRoleBinding is specified in "metadata" section of the ServiceRoleBinding object.
func NewServiceRoleBinding ¶
func NewServiceRoleBinding(namespace, name string) *ServiceRoleBinding
func (*ServiceRoleBinding) DeepCopyObject ¶
func (o *ServiceRoleBinding) DeepCopyObject() runtime.Object
func (*ServiceRoleBinding) Descriptor ¶
func (*ServiceRoleBinding) Descriptor() ([]byte, []int)
func (*ServiceRoleBinding) Equal ¶
func (this *ServiceRoleBinding) Equal(that interface{}) bool
func (*ServiceRoleBinding) GetMetadata ¶
func (m *ServiceRoleBinding) GetMetadata() core.Metadata
func (*ServiceRoleBinding) GetMode ¶
func (m *ServiceRoleBinding) GetMode() EnforcementMode
func (*ServiceRoleBinding) GetObjectKind ¶
func (o *ServiceRoleBinding) GetObjectKind() schema.ObjectKind
func (*ServiceRoleBinding) GetRoleRef ¶
func (m *ServiceRoleBinding) GetRoleRef() *RoleRef
func (*ServiceRoleBinding) GetStatus ¶
func (m *ServiceRoleBinding) GetStatus() core.Status
func (*ServiceRoleBinding) GetSubjects ¶
func (m *ServiceRoleBinding) GetSubjects() []*Subject
func (*ServiceRoleBinding) Hash ¶
func (r *ServiceRoleBinding) Hash() uint64
func (*ServiceRoleBinding) ProtoMessage ¶
func (*ServiceRoleBinding) ProtoMessage()
func (*ServiceRoleBinding) Reset ¶
func (m *ServiceRoleBinding) Reset()
func (*ServiceRoleBinding) SetMetadata ¶
func (r *ServiceRoleBinding) SetMetadata(meta core.Metadata)
func (*ServiceRoleBinding) SetStatus ¶
func (r *ServiceRoleBinding) SetStatus(status core.Status)
func (*ServiceRoleBinding) String ¶
func (m *ServiceRoleBinding) String() string
func (*ServiceRoleBinding) XXX_DiscardUnknown ¶
func (m *ServiceRoleBinding) XXX_DiscardUnknown()
func (*ServiceRoleBinding) XXX_Marshal ¶
func (m *ServiceRoleBinding) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*ServiceRoleBinding) XXX_Merge ¶
func (m *ServiceRoleBinding) XXX_Merge(src proto.Message)
func (*ServiceRoleBinding) XXX_Size ¶
func (m *ServiceRoleBinding) XXX_Size() int
func (*ServiceRoleBinding) XXX_Unmarshal ¶
func (m *ServiceRoleBinding) XXX_Unmarshal(b []byte) error
type ServiceRoleBindingClient ¶
type ServiceRoleBindingClient interface { BaseClient() clients.ResourceClient Register() error Read(namespace, name string, opts clients.ReadOpts) (*ServiceRoleBinding, error) Write(resource *ServiceRoleBinding, opts clients.WriteOpts) (*ServiceRoleBinding, error) Delete(namespace, name string, opts clients.DeleteOpts) error List(namespace string, opts clients.ListOpts) (ServiceRoleBindingList, error) ServiceRoleBindingWatcher }
func NewServiceRoleBindingClient ¶
func NewServiceRoleBindingClient(rcFactory factory.ResourceClientFactory) (ServiceRoleBindingClient, error)
func NewServiceRoleBindingClientWithBase ¶
func NewServiceRoleBindingClientWithBase(rc clients.ResourceClient) ServiceRoleBindingClient
func NewServiceRoleBindingClientWithToken ¶
func NewServiceRoleBindingClientWithToken(rcFactory factory.ResourceClientFactory, token string) (ServiceRoleBindingClient, error)
type ServiceRoleBindingList ¶
type ServiceRoleBindingList []*ServiceRoleBinding
func (ServiceRoleBindingList) AsInputResources ¶
func (list ServiceRoleBindingList) AsInputResources() resources.InputResourceList
func (ServiceRoleBindingList) AsInterfaces ¶
func (list ServiceRoleBindingList) AsInterfaces() []interface{}
func (ServiceRoleBindingList) AsResources ¶
func (list ServiceRoleBindingList) AsResources() resources.ResourceList
func (ServiceRoleBindingList) Clone ¶
func (list ServiceRoleBindingList) Clone() ServiceRoleBindingList
func (ServiceRoleBindingList) Each ¶
func (list ServiceRoleBindingList) Each(f func(element *ServiceRoleBinding))
func (ServiceRoleBindingList) EachResource ¶ added in v0.3.18
func (list ServiceRoleBindingList) EachResource(f func(element resources.Resource))
func (ServiceRoleBindingList) Find ¶
func (list ServiceRoleBindingList) Find(namespace, name string) (*ServiceRoleBinding, error)
namespace is optional, if left empty, names can collide if the list contains more than one with the same name
func (ServiceRoleBindingList) Names ¶
func (list ServiceRoleBindingList) Names() []string
func (ServiceRoleBindingList) NamespacesDotNames ¶
func (list ServiceRoleBindingList) NamespacesDotNames() []string
func (ServiceRoleBindingList) Sort ¶
func (list ServiceRoleBindingList) Sort() ServiceRoleBindingList
type ServiceRoleBindingReconciler ¶
type ServiceRoleBindingReconciler interface {
Reconcile(namespace string, desiredResources ServiceRoleBindingList, transition TransitionServiceRoleBindingFunc, opts clients.ListOpts) error
}
func NewServiceRoleBindingReconciler ¶
func NewServiceRoleBindingReconciler(client ServiceRoleBindingClient) ServiceRoleBindingReconciler
type ServiceRoleBindingWatcher ¶ added in v0.3.18
type ServiceRoleClient ¶
type ServiceRoleClient interface { BaseClient() clients.ResourceClient Register() error Read(namespace, name string, opts clients.ReadOpts) (*ServiceRole, error) Write(resource *ServiceRole, opts clients.WriteOpts) (*ServiceRole, error) Delete(namespace, name string, opts clients.DeleteOpts) error List(namespace string, opts clients.ListOpts) (ServiceRoleList, error) ServiceRoleWatcher }
func NewServiceRoleClient ¶
func NewServiceRoleClient(rcFactory factory.ResourceClientFactory) (ServiceRoleClient, error)
func NewServiceRoleClientWithBase ¶
func NewServiceRoleClientWithBase(rc clients.ResourceClient) ServiceRoleClient
func NewServiceRoleClientWithToken ¶
func NewServiceRoleClientWithToken(rcFactory factory.ResourceClientFactory, token string) (ServiceRoleClient, error)
type ServiceRoleList ¶
type ServiceRoleList []*ServiceRole
func (ServiceRoleList) AsInputResources ¶
func (list ServiceRoleList) AsInputResources() resources.InputResourceList
func (ServiceRoleList) AsInterfaces ¶
func (list ServiceRoleList) AsInterfaces() []interface{}
func (ServiceRoleList) AsResources ¶
func (list ServiceRoleList) AsResources() resources.ResourceList
func (ServiceRoleList) Clone ¶
func (list ServiceRoleList) Clone() ServiceRoleList
func (ServiceRoleList) Each ¶
func (list ServiceRoleList) Each(f func(element *ServiceRole))
func (ServiceRoleList) EachResource ¶ added in v0.3.18
func (list ServiceRoleList) EachResource(f func(element resources.Resource))
func (ServiceRoleList) Find ¶
func (list ServiceRoleList) Find(namespace, name string) (*ServiceRole, error)
namespace is optional, if left empty, names can collide if the list contains more than one with the same name
func (ServiceRoleList) Names ¶
func (list ServiceRoleList) Names() []string
func (ServiceRoleList) NamespacesDotNames ¶
func (list ServiceRoleList) NamespacesDotNames() []string
func (ServiceRoleList) Sort ¶
func (list ServiceRoleList) Sort() ServiceRoleList
type ServiceRoleReconciler ¶
type ServiceRoleReconciler interface {
Reconcile(namespace string, desiredResources ServiceRoleList, transition TransitionServiceRoleFunc, opts clients.ListOpts) error
}
func NewServiceRoleReconciler ¶
func NewServiceRoleReconciler(client ServiceRoleClient) ServiceRoleReconciler
type ServiceRoleWatcher ¶ added in v0.3.18
type Subject ¶
type Subject struct { // Optional. The user name/ID that the subject represents. User string `protobuf:"bytes,1,opt,name=user,proto3" json:"user,omitempty"` // $hide_from_docs // Optional. The group that the subject belongs to. Group string `protobuf:"bytes,2,opt,name=group,proto3" json:"group,omitempty"` // Optional. The set of properties that identify the subject. // The above ServiceRoleBinding example shows an example of property "source.namespace". Properties map[string]string `` /* 161-byte string literal not displayed */ XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
Subject defines an identity. The identity is either a user or identified by a set of `properties`. The supported keys in `properties` are listed in "constraint and properties" page.
func (*Subject) Descriptor ¶
func (*Subject) GetProperties ¶
func (*Subject) ProtoMessage ¶
func (*Subject) ProtoMessage()
func (*Subject) XXX_DiscardUnknown ¶
func (m *Subject) XXX_DiscardUnknown()
func (*Subject) XXX_Marshal ¶
func (*Subject) XXX_Unmarshal ¶
type TransitionRbacConfigFunc ¶
type TransitionRbacConfigFunc func(original, desired *RbacConfig) (bool, error)
Option to copy anything from the original to the desired before writing. Return value of false means don't update
type TransitionServiceRoleBindingFunc ¶
type TransitionServiceRoleBindingFunc func(original, desired *ServiceRoleBinding) (bool, error)
Option to copy anything from the original to the desired before writing. Return value of false means don't update
type TransitionServiceRoleFunc ¶
type TransitionServiceRoleFunc func(original, desired *ServiceRole) (bool, error)
Option to copy anything from the original to the desired before writing. Return value of false means don't update