Documentation
¶
Overview ¶
Package has auto-generated kube type wrappers for raw types. +k8s:openapi-gen=true +k8s:deepcopy-gen=package
Index ¶
Constants ¶
View Source
const (
// Package-wide consts from generator "register".
GroupName = "security.istio.io"
)
Variables ¶
View Source
var ( // Package-wide variables from generator "register". SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1beta1"} )
Functions ¶
This section is empty.
Types ¶
type AuthorizationPolicy ¶
type AuthorizationPolicy struct {
v1.TypeMeta `json:",inline"`
// +optional
v1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
// Spec defines the implementation of this definition.
// +optional
Spec AuthorizationPolicySpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
}
AuthorizationPolicy enables access control on workloads.
For example, the following authorization policy denies all requests to workloads in namespace foo.
```yaml apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:
name: deny-all namespace: foo
spec: ```
The following authorization policy allows all requests to workloads in namespace foo.
```yaml apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:
name: allow-all namespace: foo
spec:
rules:
- {}
```
<!-- go code generation tags +kubetype-gen +kubetype-gen:groupVersion=security.istio.io/v1beta1 +genclient +k8s:deepcopy-gen=true -->
type AuthorizationPolicyList ¶
type AuthorizationPolicyList struct {
v1.TypeMeta `json:",inline"`
// +optional
v1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
Items []AuthorizationPolicy `json:"items" protobuf:"bytes,2,rep,name=items"`
}
AuthorizationPolicyList is a collection of AuthorizationPolicies.
type AuthorizationPolicySpec ¶
type AuthorizationPolicySpec struct {
// Optional. Workload selector decides where to apply the authorization policy.
// If not set, the authorization policy will be applied to all workloads in the
// same namespace as the authorization policy.
Selector *WorkloadSelector `protobuf:"bytes,1,opt,name=selector,proto3" json:"selector,omitempty"`
// Optional. A list of rules to specify the allowed access to the workload.
//
// If not set, access is denied unless explicitly allowed by other authorization policy.
Rules []*Rule `protobuf:"bytes,2,rep,name=rules,proto3" json:"rules,omitempty"`
}
type Condition ¶
type Condition struct {
// The name of an Istio attribute.
// See the [full list of supported attributes](https://istio.io/docs/reference/config/).
Key string `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"`
// The allowed values for the attribute.
Values []string `protobuf:"bytes,2,rep,name=values,proto3" json:"values,omitempty"`
}
type Operation ¶
type Operation struct {
// Optional. A list of hosts, which matches to the "request.host" attribute.
//
// If not set, any host is allowed. Must be used only with HTTP.
Hosts []string `protobuf:"bytes,1,rep,name=hosts,proto3" json:"hosts,omitempty"`
// Optional. A list of ports, which matches to the "destination.port" attribute.
//
// If not set, any port is allowed.
Ports []string `protobuf:"bytes,2,rep,name=ports,proto3" json:"ports,omitempty"`
// Optional. A list of methods, which matches to the "request.method" attribute.
// For gRPC service, this should be the fully-qualified name in the form of
// "/package.service/method"
//
// If not set, any method is allowed. Must be used only with HTTP or gRPC.
Methods []string `protobuf:"bytes,3,rep,name=methods,proto3" json:"methods,omitempty"`
// Optional. A list of paths, which matches to the "request.url_path" attribute.
//
// If not set, any path is allowed. Must be used only with HTTP.
Paths []string `protobuf:"bytes,4,rep,name=paths,proto3" json:"paths,omitempty"`
}
type Rule ¶
type Rule struct {
// Optional. from specifies the source of a request.
//
// If not set, any source is allowed.
From []*Rule_From `protobuf:"bytes,1,rep,name=from,proto3" json:"from,omitempty"`
// Optional. to specifies the operation of a request.
//
// If not set, any operation is allowed.
To []*Rule_To `protobuf:"bytes,2,rep,name=to,proto3" json:"to,omitempty"`
// Optional. when specifies a list of additional conditions of a request.
//
// If not set, any condition is allowed.
When []*Condition `protobuf:"bytes,3,rep,name=when,proto3" json:"when,omitempty"`
}
type Rule_From ¶
type Rule_From struct {
// Source specifies the source of a request.
Source *Source `protobuf:"bytes,1,opt,name=source,proto3" json:"source,omitempty"`
}
type Rule_To ¶
type Rule_To struct {
// Operation specifies the operation of a request.
Operation *Operation `protobuf:"bytes,1,opt,name=operation,proto3" json:"operation,omitempty"`
}
type Source ¶
type Source struct {
Principals []string `protobuf:"bytes,1,rep,name=principals,proto3" json:"principals,omitempty"`
// Optional. A list of request identities (i.e. "iss/sub" claims), which
// matches to the "request.auth.principal" attribute.
//
// If not set, any request principal is allowed.
RequestPrincipals []string `protobuf:"bytes,2,rep,name=request_principals,json=requestPrincipals,proto3" json:"request_principals,omitempty"`
// Optional. A list of namespaces, which matches to the "source.namespace"
// attribute.
//
// If not set, any namespace is allowed.
Namespaces []string `protobuf:"bytes,3,rep,name=namespaces,proto3" json:"namespaces,omitempty"`
// Optional. A list of IP blocks, which matches to the "source.ip" attribute.
// Single IP (e.g. "1.2.3.4") and CIDR (e.g. "1.2.3.0/24") are supported.
//
// If not set, any IP is allowed.
IpBlocks []string `protobuf:"bytes,4,rep,name=ip_blocks,json=ipBlocks,proto3" json:"ip_blocks,omitempty"`
}
type WorkloadSelector ¶
type WorkloadSelector struct {
// One or more labels that indicate a specific set of pods/VMs
// on which a policy should be applied. The scope of label search is restricted to
// the configuration namespace in which the resource is present.
MatchLabels map[string]string `` /* 182-byte string literal not displayed */
}
Source Files
Click to show internal directories.
Click to hide internal directories.