v1alpha1

package
v0.0.0-...-40227b4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 8, 2020 License: Apache-2.0 Imports: 3 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// Package-wide consts from generator "register".
	GroupName = "rbac.istio.io"
)

Variables

View Source 
var (
	// Package-wide variables from generator "register".
	SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
)

Functions

This section is empty.

Types

type AccessRule 

type AccessRule struct {
	// A list of service names.
	// Exact match, prefix match, and suffix match are supported for service names.
	// For example, the service name "bookstore.mtv.cluster.local" matches
	// "bookstore.mtv.cluster.local" (exact match), or "bookstore\*" (prefix match),
	// or "\*.mtv.cluster.local" (suffix match).
	// If set to ["\*"], it refers to all services in the namespace.
	Services []string `protobuf:"bytes,1,rep,name=services,proto3" json:"services,omitempty"`
	// $hide_from_docs
	// Optional. A list of HTTP hosts. This is matched against the HOST header in
	// a HTTP request. Exact match, prefix match and suffix match are supported.
	// For example, the host "test.abc.com" matches "test.abc.com" (exact match),
	// or "\*.abc.com" (prefix match), or "test.abc.\*" (suffix match).
	// If not specified, it matches to any host.
	// This field should not be set for TCP services. The policy will be ignored.
	Hosts []string `protobuf:"bytes,5,rep,name=hosts,proto3" json:"hosts,omitempty"`
	// $hide_from_docs
	// Optional. A list of HTTP hosts that must not be matched.
	NotHosts []string `protobuf:"bytes,6,rep,name=not_hosts,json=notHosts,proto3" json:"not_hosts,omitempty"`
	// Optional. A list of HTTP paths or gRPC methods.
	// gRPC methods must be presented as fully-qualified name in the form of
	// "/packageName.serviceName/methodName" and are case sensitive.
	// Exact match, prefix match, and suffix match are supported. For example,
	// the path "/books/review" matches "/books/review" (exact match),
	// or "/books/\*" (prefix match), or "review" (suffix match).
	// If not specified, it matches to any path.
	// This field should not be set for TCP services. The policy will be ignored.
	Paths []string `protobuf:"bytes,2,rep,name=paths,proto3" json:"paths,omitempty"`
	// $hide_from_docs
	// Optional. A list of HTTP paths or gRPC methods that must not be matched.
	NotPaths []string `protobuf:"bytes,7,rep,name=not_paths,json=notPaths,proto3" json:"not_paths,omitempty"`
	// Optional. A list of HTTP methods (e.g., "GET", "POST").
	// If not specified or specified as "\*", it matches to any methods.
	// This field should not be set for TCP services. The policy will be ignored.
	// For gRPC services, only `POST` is allowed; other methods will result in denying services.
	Methods []string `protobuf:"bytes,3,rep,name=methods,proto3" json:"methods,omitempty"`
	// $hide_from_docs
	// Optional. A list of HTTP methods that must not be matched.
	// Note: It's an error to set methods and not_methods at the same time.
	NotMethods []string `protobuf:"bytes,8,rep,name=not_methods,json=notMethods,proto3" json:"not_methods,omitempty"`
	// $hide_from_docs
	// Optional. A list of port numbers of the request. If not specified, it matches
	// to any port number.
	// Note: It's an error to set ports and not_ports at the same time.
	Ports []int32 `protobuf:"varint,9,rep,packed,name=ports,proto3" json:"ports,omitempty"`
	// $hide_from_docs
	// Optional.  A list of port numbers that must not be matched.
	// Note: It's an error to set ports and not_ports at the same time.
	NotPorts []int32 `protobuf:"varint,10,rep,packed,name=not_ports,json=notPorts,proto3" json:"not_ports,omitempty"`
	// Optional. Extra constraints in the ServiceRole specification.
	Constraints []AccessRule_Constraint `protobuf:"bytes,4,rep,name=constraints,proto3" json:"constraints,omitempty"`
}

func (*AccessRule) DeepCopy 

func (in *AccessRule) DeepCopy() *AccessRule

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AccessRule.

func (*AccessRule) DeepCopyInto 

func (in *AccessRule) DeepCopyInto(out *AccessRule)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AccessRule_Constraint 

type AccessRule_Constraint struct {
	// Key of the constraint.
	Key string `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"`
	// List of valid values for the constraint.
	// Exact match, prefix match, and suffix match are supported.
	// For example, the value "v1alpha2" matches "v1alpha2" (exact match),
	// or "v1\*" (prefix match), or "\*alpha2" (suffix match).
	Values []string `protobuf:"bytes,2,rep,name=values,proto3" json:"values,omitempty"`
}

func (*AccessRule_Constraint) DeepCopy 

func (in *AccessRule_Constraint) DeepCopy() *AccessRule_Constraint

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AccessRule_Constraint.

func (*AccessRule_Constraint) DeepCopyInto 

func (in *AccessRule_Constraint) DeepCopyInto(out *AccessRule_Constraint)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ClusterRbacConfig 

type ClusterRbacConfig struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec RbacConfigSpec `json:"spec,omitempty"`
}

func (*ClusterRbacConfig) DeepCopy 

func (in *ClusterRbacConfig) DeepCopy() *ClusterRbacConfig

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterRbacConfig.

func (*ClusterRbacConfig) DeepCopyInto 

func (in *ClusterRbacConfig) DeepCopyInto(out *ClusterRbacConfig)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterRbacConfig) DeepCopyObject 

func (in *ClusterRbacConfig) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type ClusterRbacConfigList 

type ClusterRbacConfigList struct {
	metav1.TypeMeta `json:",inline"`
	// +optional
	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
	Items           []ClusterRbacConfig `json:"items" protobuf:"bytes,2,rep,name=items"`
}

ClusterRbacConfigList is a collection of ClusterRbacConfigs.

func (*ClusterRbacConfigList) DeepCopy 

func (in *ClusterRbacConfigList) DeepCopy() *ClusterRbacConfigList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterRbacConfigList.

func (*ClusterRbacConfigList) DeepCopyInto 

func (in *ClusterRbacConfigList) DeepCopyInto(out *ClusterRbacConfigList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterRbacConfigList) DeepCopyObject 

func (in *ClusterRbacConfigList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type EnforcementMode 

type EnforcementMode int32
const (
	// Policy in ENFORCED mode has impact on user experience.
	// Policy is in ENFORCED mode by default.
	ENFORCED EnforcementMode = 0
	// Policy in PERMISSIVE mode isn't enforced and has no impact on users.
	// RBAC engine run policies in PERMISSIVE mode and logs stats.
	PERMISSIVE EnforcementMode = 1
)

type RbacConfig 

type RbacConfig struct {
	metav1.TypeMeta `json:",inline"`
	// +optional
	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`

	// Spec defines the implementation of this definition.
	// +optional
	Spec RbacConfigSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
}

func (*RbacConfig) DeepCopy 

func (in *RbacConfig) DeepCopy() *RbacConfig

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RbacConfig.

func (*RbacConfig) DeepCopyInto 

func (in *RbacConfig) DeepCopyInto(out *RbacConfig)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*RbacConfig) DeepCopyObject 

func (in *RbacConfig) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type RbacConfigList 

type RbacConfigList struct {
	metav1.TypeMeta `json:",inline"`
	// +optional
	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
	Items           []RbacConfig `json:"items" protobuf:"bytes,2,rep,name=items"`
}

RbacConfigList is a collection of RbacConfigs.

func (*RbacConfigList) DeepCopy 

func (in *RbacConfigList) DeepCopy() *RbacConfigList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RbacConfigList.

func (*RbacConfigList) DeepCopyInto 

func (in *RbacConfigList) DeepCopyInto(out *RbacConfigList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*RbacConfigList) DeepCopyObject 

func (in *RbacConfigList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type RbacConfigMode 

type RbacConfigMode int32
const (
	// Disable Istio RBAC completely, Istio RBAC policies will not be enforced.
	OFF RbacConfigMode = 0
	// Enable Istio RBAC for all services and namespaces. Note Istio RBAC is deny-by-default
	// which means all requests will be denied if it's not allowed by RBAC rules.
	ON RbacConfigMode = 1
	// Enable Istio RBAC only for services and namespaces specified in the inclusion field. Any other
	// services and namespaces not in the inclusion field will not be enforced by Istio RBAC policies.
	ON_WITH_INCLUSION RbacConfigMode = 2
	// Enable Istio RBAC for all services and namespaces except those specified in the exclusion field. Any other
	// services and namespaces not in the exclusion field will be enforced by Istio RBAC policies.
	ON_WITH_EXCLUSION RbacConfigMode = 3
)

type RbacConfigSpec 

type RbacConfigSpec struct {
	// Istio RBAC mode.
	Mode RbacConfigMode `json:"mode,omitempty"`
	// A list of services or namespaces that should be enforced by Istio RBAC policies. Note: This field have
	// effect only when mode is ON_WITH_INCLUSION and will be ignored for any other modes.
	Inclusion *RbacConfigTarget `json:"inclusion,omitempty"`
	// A list of services or namespaces that should not be enforced by Istio RBAC policies. Note: This field have
	// effect only when mode is ON_WITH_EXCLUSION and will be ignored for any other modes.
	Exclusion *RbacConfigTarget `json:"exclusion,omitempty"`

	EnforcementMode EnforcementMode `json:"enforcementMode,omitempty"`
}

func (*RbacConfigSpec) DeepCopy 

func (in *RbacConfigSpec) DeepCopy() *RbacConfigSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RbacConfigSpec.

func (*RbacConfigSpec) DeepCopyInto 

func (in *RbacConfigSpec) DeepCopyInto(out *RbacConfigSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type RbacConfigTarget 

type RbacConfigTarget struct {
	// A list of services.
	Services []string `json:"services,omitempty"`
	// A list of namespaces.
	Namespaces []string `json:"namespaces,omitempty"`
}

Target defines a list of services or namespaces.

func (*RbacConfigTarget) DeepCopy 

func (in *RbacConfigTarget) DeepCopy() *RbacConfigTarget

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RbacConfigTarget.

func (*RbacConfigTarget) DeepCopyInto 

func (in *RbacConfigTarget) DeepCopyInto(out *RbacConfigTarget)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type RoleRef 

type RoleRef struct {
	// The type of the role being referenced.
	// Currently, "ServiceRole" is the only supported value for "kind".
	Kind string `protobuf:"bytes,1,opt,name=kind,proto3" json:"kind,omitempty"`
	// The name of the ServiceRole object being referenced.
	// The ServiceRole object must be in the same namespace as the ServiceRoleBinding object.
	Name string `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"`
}

func (*RoleRef) DeepCopy 

func (in *RoleRef) DeepCopy() *RoleRef

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RoleRef.

func (*RoleRef) DeepCopyInto 

func (in *RoleRef) DeepCopyInto(out *RoleRef)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ServiceRole 

type ServiceRole struct {
	metav1.TypeMeta `json:",inline"`
	// +optional
	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`

	// Spec defines the implementation of this definition.
	// +optional
	Spec ServiceRoleSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
}

func (*ServiceRole) DeepCopy 

func (in *ServiceRole) DeepCopy() *ServiceRole

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceRole.

func (*ServiceRole) DeepCopyInto 

func (in *ServiceRole) DeepCopyInto(out *ServiceRole)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ServiceRole) DeepCopyObject 

func (in *ServiceRole) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type ServiceRoleBinding 

type ServiceRoleBinding struct {
	metav1.TypeMeta `json:",inline"`
	// +optional
	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`

	// Spec defines the implementation of this definition.
	// +optional
	Spec ServiceRoleBindingSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
}

func (*ServiceRoleBinding) DeepCopy 

func (in *ServiceRoleBinding) DeepCopy() *ServiceRoleBinding

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceRoleBinding.

func (*ServiceRoleBinding) DeepCopyInto 

func (in *ServiceRoleBinding) DeepCopyInto(out *ServiceRoleBinding)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ServiceRoleBinding) DeepCopyObject 

func (in *ServiceRoleBinding) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type ServiceRoleBindingList 

type ServiceRoleBindingList struct {
	metav1.TypeMeta `json:",inline"`
	// +optional
	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
	Items           []ServiceRoleBinding `json:"items" protobuf:"bytes,2,rep,name=items"`
}

ServiceRoleBindingList is a collection of ServiceRoleBindings.

func (*ServiceRoleBindingList) DeepCopy 

func (in *ServiceRoleBindingList) DeepCopy() *ServiceRoleBindingList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceRoleBindingList.

func (*ServiceRoleBindingList) DeepCopyInto 

func (in *ServiceRoleBindingList) DeepCopyInto(out *ServiceRoleBindingList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ServiceRoleBindingList) DeepCopyObject 

func (in *ServiceRoleBindingList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type ServiceRoleBindingSpec 

type ServiceRoleBindingSpec struct {
	// List of subjects that are assigned the ServiceRole object.
	Subjects []Subject `protobuf:"bytes,1,rep,name=subjects,proto3" json:"subjects,omitempty"`
	// Reference to the ServiceRole object.
	RoleRef RoleRef `protobuf:"bytes,2,opt,name=roleRef,proto3" json:"roleRef,omitempty"`
	// $hide_from_docs
	// Indicates enforcement mode of the ServiceRoleBinding.
	Mode EnforcementMode `protobuf:"varint,3,opt,name=mode,proto3,enum=istio.rbac.v1alpha1.EnforcementMode" json:"mode,omitempty"`

	Actions []AccessRule `protobuf:"bytes,4,rep,name=actions,proto3" json:"actions,omitempty"`

	Role string `protobuf:"bytes,5,opt,name=role,proto3" json:"role,omitempty"`
}

func (*ServiceRoleBindingSpec) DeepCopy 

func (in *ServiceRoleBindingSpec) DeepCopy() *ServiceRoleBindingSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceRoleBindingSpec.

func (*ServiceRoleBindingSpec) DeepCopyInto 

func (in *ServiceRoleBindingSpec) DeepCopyInto(out *ServiceRoleBindingSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ServiceRoleList 

type ServiceRoleList struct {
	metav1.TypeMeta `json:",inline"`
	// +optional
	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
	Items           []ServiceRole `json:"items" protobuf:"bytes,2,rep,name=items"`
}

ServiceRoleList is a collection of ServiceRoles.

func (*ServiceRoleList) DeepCopy 

func (in *ServiceRoleList) DeepCopy() *ServiceRoleList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceRoleList.

func (*ServiceRoleList) DeepCopyInto 

func (in *ServiceRoleList) DeepCopyInto(out *ServiceRoleList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ServiceRoleList) DeepCopyObject 

func (in *ServiceRoleList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type ServiceRoleSpec 

type ServiceRoleSpec struct {
	Rules []AccessRule `protobuf:"bytes,1,rep,name=rules,proto3" json:"rules,omitempty"`
}

func (*ServiceRoleSpec) DeepCopy 

func (in *ServiceRoleSpec) DeepCopy() *ServiceRoleSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceRoleSpec.

func (*ServiceRoleSpec) DeepCopyInto 

func (in *ServiceRoleSpec) DeepCopyInto(out *ServiceRoleSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Subject 

type Subject struct {
	// Optional. The user name/ID that the subject represents.
	User string `protobuf:"bytes,1,opt,name=user,proto3" json:"user,omitempty"`
	// $hide_from_docs
	// Optional. A list of subject names. This is matched to the
	// `source.principal` attribute. If one of subject names is "\*", it matches to a subject with any name.
	// Prefix and suffix matches are supported.
	Names []string `protobuf:"bytes,4,rep,name=names,proto3" json:"names,omitempty"`
	// $hide_from_docs
	// Optional. A list of subject names that must not be matched.
	NotNames []string `protobuf:"bytes,5,rep,name=not_names,json=notNames,proto3" json:"not_names,omitempty"`
	// $hide_from_docs
	// Optional. The group that the subject belongs to.
	// Deprecated. Use groups and not_groups instead.
	Group string `protobuf:"bytes,2,opt,name=group,proto3" json:"group,omitempty"` // Deprecated: Do not use.
	// $hide_from_docs
	// Optional. A list of groups that the subject represents. This is matched to the
	// `request.auth.claims[groups]` attribute. If not specified, it applies to any groups.
	Groups []string `protobuf:"bytes,6,rep,name=groups,proto3" json:"groups,omitempty"`
	// $hide_from_docs
	// Optional. A list of groups that must not be matched.
	NotGroups []string `protobuf:"bytes,7,rep,name=not_groups,json=notGroups,proto3" json:"not_groups,omitempty"`
	// $hide_from_docs
	// Optional. A list of namespaces that the subject represents. This is matched to
	// the `source.namespace` attribute. If not specified, it applies to any namespaces.
	Namespaces []string `protobuf:"bytes,8,rep,name=namespaces,proto3" json:"namespaces,omitempty"`
	// $hide_from_docs
	// Optional. A list of namespaces that must not be matched.
	NotNamespaces []string `protobuf:"bytes,9,rep,name=not_namespaces,json=notNamespaces,proto3" json:"not_namespaces,omitempty"`
	// $hide_from_docs
	// Optional. A list of IP address or CIDR ranges that the subject represents.
	// E.g. 192.168.100.2 or 10.1.0.0/16. If not specified, it applies to any IP addresses.
	Ips []string `protobuf:"bytes,10,rep,name=ips,proto3" json:"ips,omitempty"`
	// $hide_from_docs
	// Optional. A list of IP addresses or CIDR ranges that must not be matched.
	NotIps []string `protobuf:"bytes,11,rep,name=not_ips,json=notIps,proto3" json:"not_ips,omitempty"`
	// Optional. The set of properties that identify the subject.
	Properties map[string]string `` /* 161-byte string literal not displayed */
}

func (*Subject) DeepCopy 

func (in *Subject) DeepCopy() *Subject

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Subject.

func (*Subject) DeepCopyInto 

func (in *Subject) DeepCopyInto(out *Subject)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.