Documentation ¶
Overview ¶
Package has auto-generated kube type wrappers for raw types. +k8s:openapi-gen=true +k8s:deepcopy-gen=package
Index ¶
- Constants
- Variables
- type Jwt
- type JwtTriggerRule
- type MeshPolicy
- type MeshPolicyList
- type MutualTls
- type MutualTls_Mode
- type OriginAuthenticationMethod
- type PeerAuthenticationMethod
- type Policy
- type PolicyList
- type PolicySpec
- type PortSelector
- type PrincipalBinding
- type StringMatch
- type TargetSelector
Constants ¶
const (
// Package-wide consts from generator "register".
GroupName = "authentication.istio.io"
)
Variables ¶
var ( // Package-wide variables from generator "register". SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} )
Functions ¶
This section is empty.
Types ¶
type Jwt ¶
type Jwt struct { // Identifies the issuer that issued the JWT. See // [issuer](https://tools.ietf.org/html/rfc7519#section-4.1.1) // Usually a URL or an email address. // // Example: https://securetoken.google.com // Example: 1234567-compute@developer.gserviceaccount.com Issuer string `protobuf:"bytes,1,opt,name=issuer,proto3" json:"issuer,omitempty"` // The list of JWT // [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3). // that are allowed to access. A JWT containing any of these // audiences will be accepted. // // The service name will be accepted if audiences is empty. // // Example: // // “`yaml // audiences: // - bookstore_android.apps.googleusercontent.com // bookstore_web.apps.googleusercontent.com // “` Audiences []string `protobuf:"bytes,2,rep,name=audiences,proto3" json:"audiences,omitempty"` // URL of the provider's public key set to validate signature of the // JWT. See [OpenID Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata). // // Optional if the key set document can either (a) be retrieved from // [OpenID // Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html) of // the issuer or (b) inferred from the email domain of the issuer (e.g. a // Google service account). // // Example: `https://www.googleapis.com/oauth2/v1/certs` // // Note: Only one of jwks_uri and jwks should be used. JwksUri string `protobuf:"bytes,3,opt,name=jwks_uri,json=jwksUri,proto3" json:"jwksUri,omitempty"` // JSON Web Key Set of public keys to validate signature of the JWT. // See https://auth0.com/docs/jwks. // // Note: Only one of jwks_uri and jwks should be used. Jwks string `protobuf:"bytes,10,opt,name=jwks,proto3" json:"jwks,omitempty"` // JWT is sent in a request header. `header` represents the // header name. // // For example, if `header=x-goog-iap-jwt-assertion`, the header // format will be `x-goog-iap-jwt-assertion: <JWT>`. JwtHeaders []string `protobuf:"bytes,6,rep,name=jwt_headers,json=jwtHeaders,proto3" json:"jwtHeaders,omitempty"` // JWT is sent in a query parameter. `query` represents the // query parameter name. // // For example, `query=jwt_token`. JwtParams []string `protobuf:"bytes,7,rep,name=jwt_params,json=jwtParams,proto3" json:"jwtParams,omitempty"` // List of trigger rules to decide if this JWT should be used to validate the // request. The JWT validation happens if any one of the rules matched. // If the list is not empty and none of the rules matched, authentication will // skip the JWT validation. // Leave this empty to always trigger the JWT validation. TriggerRules []JwtTriggerRule `protobuf:"bytes,9,rep,name=trigger_rules,json=triggerRules,proto3" json:"triggerRules,omitempty"` }
JSON Web Token (JWT) token format for authentication as defined by [RFC 7519](https://tools.ietf.org/html/rfc7519). See [OAuth 2.0](https://tools.ietf.org/html/rfc6749) and [OIDC 1.0](http://openid.net/connect) for how this is used in the whole authentication flow.
For example:
A JWT for any requests:
```yaml issuer: https://example.com audiences:
- bookstore_android.apps.googleusercontent.com bookstore_web.apps.googleusercontent.com
jwksUri: https://example.com/.well-known/jwks.json ```
A JWT for all requests except request at path `/health_check` and path with prefix `/status/`. This is useful to expose some paths for public access but keep others JWT validated.
```yaml issuer: https://example.com jwksUri: https://example.com/.well-known/jwks.json triggerRules: - excludedPaths:
- exact: /health_check
- prefix: /status/
```
A JWT only for requests at path `/admin`. This is useful to only require JWT validation on a specific set of paths but keep others public accessible.
```yaml issuer: https://example.com jwksUri: https://example.com/.well-known/jwks.json triggerRules: - includedPaths:
- prefix: /admin
```
A JWT only for requests at path of prefix `/status/` but except the path of `/status/version`. This means for any request path with prefix `/status/` except `/status/version` will require a valid JWT to proceed.
```yaml issuer: https://example.com jwksUri: https://example.com/.well-known/jwks.json triggerRules: - excludedPaths:
- exact: /status/version includedPaths:
- prefix: /status/
```
func (*Jwt) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Jwt.
func (*Jwt) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type JwtTriggerRule ¶
type JwtTriggerRule struct { // List of paths to be excluded from the request. The rule is satisfied if // request path does not match to any of the path in this list. ExcludedPaths []StringMatch `protobuf:"bytes,1,rep,name=excluded_paths,json=excludedPaths,proto3" json:"excludedPaths,omitempty"` // List of paths that the request must include. If the list is not empty, the // rule is satisfied if request path matches at least one of the path in the list. // If the list is empty, the rule is ignored, in other words the rule is always satisfied. IncludedPaths []StringMatch `protobuf:"bytes,2,rep,name=included_paths,json=includedPaths,proto3" json:"includedPaths,omitempty"` }
Trigger rule to match against a request. The trigger rule is satisfied if and only if both rules, excluded_paths and include_paths are satisfied.
func (*JwtTriggerRule) DeepCopy ¶
func (in *JwtTriggerRule) DeepCopy() *JwtTriggerRule
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JwtTriggerRule.
func (*JwtTriggerRule) DeepCopyInto ¶
func (in *JwtTriggerRule) DeepCopyInto(out *JwtTriggerRule)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type MeshPolicy ¶
type MeshPolicy struct { v1.TypeMeta `json:",inline"` // +optional v1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` // Spec defines the implementation of this definition. // +optional Spec PolicySpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` }
Policy defines what authentication methods can be accepted on workload(s), and if authenticated, which method/certificate will set the request principal (i.e request.auth.principal attribute).
Authentication policy is composed of 2-part authentication: - peer: verify caller service credentials. This part will set source.user (peer identity). - origin: verify the origin credentials. This part will set request.auth.user (origin identity), as well as other attributes like request.auth.presenter, request.auth.audiences and raw claims. Note that the identity could be end-user, service account, device etc.
Last but not least, the principal binding rule defines which identity (peer or origin) should be used as principal. By default, it uses peer.
Examples:
Policy to enable mTLS for all services in namespace frod. The policy name must be `default`, and it contains no rule for `targets`.
```yaml apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata:
name: default namespace: frod
spec:
peers: - mtls:
``` Policy to disable mTLS for "productpage" service
```yaml apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata:
name: productpage-mTLS-disable namespace: frod
spec:
targets: - name: productpage
``` Policy to require mTLS for peer authentication, and JWT for origin authentication for productpage:9000 except the path '/health_check' . Principal is set from origin identity.
```yaml apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata:
name: productpage-mTLS-with-JWT namespace: frod
spec:
targets: - name: productpage ports: - number: 9000 peers: - mtls: origins: - jwt: issuer: "https://securetoken.google.com" audiences: - "productpage" jwksUri: "https://www.googleapis.com/oauth2/v1/certs" jwtHeaders: - "x-goog-iap-jwt-assertion" triggerRules: - excludedPaths: - exact: /health_check principalBinding: USE_ORIGIN
```
<!-- go code generation tags +kubetype-gen +kubetype-gen:groupVersion=authentication.istio.io/v1alpha1 +kubetype-gen:kubeType=Policy +kubetype-gen:kubeType=MeshPolicy +kubetype-gen:MeshPolicy:tag=genclient:nonNamespaced +genclient +k8s:deepcopy-gen=true -->
func (*MeshPolicy) DeepCopy ¶
func (in *MeshPolicy) DeepCopy() *MeshPolicy
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MeshPolicy.
func (*MeshPolicy) DeepCopyInto ¶
func (in *MeshPolicy) DeepCopyInto(out *MeshPolicy)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*MeshPolicy) DeepCopyObject ¶
func (in *MeshPolicy) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type MeshPolicyList ¶
type MeshPolicyList struct { v1.TypeMeta `json:",inline"` // +optional v1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` Items []MeshPolicy `json:"items" protobuf:"bytes,2,rep,name=items"` }
MeshPolicyList is a collection of MeshPolicies.
func (*MeshPolicyList) DeepCopy ¶
func (in *MeshPolicyList) DeepCopy() *MeshPolicyList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MeshPolicyList.
func (*MeshPolicyList) DeepCopyInto ¶
func (in *MeshPolicyList) DeepCopyInto(out *MeshPolicyList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*MeshPolicyList) DeepCopyObject ¶
func (in *MeshPolicyList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type MutualTls ¶
type MutualTls struct { // WILL BE DEPRECATED, if set, will translates to `TLS_PERMISSIVE` mode. // Set this flag to true to allow regular TLS (i.e without client x509 // certificate). If request carries client certificate, identity will be // extracted and used (set to peer identity). Otherwise, peer identity will // be left unset. // When the flag is false (default), request must have client certificate. AllowTls bool `json:"allow_tls,omitempty"` // Defines the mode of mTLS authentication. Mode MutualTls_Mode `json:"mode,omitempty"` }
TLS authentication params.
func (*MutualTls) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MutualTls.
func (*MutualTls) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type MutualTls_Mode ¶
type MutualTls_Mode int32
Defines the acceptable connection TLS mode.
const ( // Client cert must be presented, connection is in TLS. STRICT MutualTls_Mode = 0 // Connection can be either plaintext or TLS, and client cert can be omitted. PERMISSIVE MutualTls_Mode = 1 )
type OriginAuthenticationMethod ¶
type OriginAuthenticationMethod struct { // Jwt params for the method. Jwt *Jwt `protobuf:"bytes,1,opt,name=jwt,proto3" json:"jwt,omitempty"` }
OriginAuthenticationMethod defines authentication method/params for origin authentication. Origin could be end-user, device, delegate service etc. Currently, only JWT is supported for origin authentication.
func (*OriginAuthenticationMethod) DeepCopy ¶
func (in *OriginAuthenticationMethod) DeepCopy() *OriginAuthenticationMethod
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OriginAuthenticationMethod.
func (*OriginAuthenticationMethod) DeepCopyInto ¶
func (in *OriginAuthenticationMethod) DeepCopyInto(out *OriginAuthenticationMethod)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PeerAuthenticationMethod ¶
type PeerAuthenticationMethod struct { // Types that are valid to be assigned to Params: // *PeerAuthenticationMethod_Mtls // *PeerAuthenticationMethod_Jwt Mtls MutualTls `json:"mtls,omitempty"` }
func (*PeerAuthenticationMethod) DeepCopy ¶
func (in *PeerAuthenticationMethod) DeepCopy() *PeerAuthenticationMethod
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PeerAuthenticationMethod.
func (*PeerAuthenticationMethod) DeepCopyInto ¶
func (in *PeerAuthenticationMethod) DeepCopyInto(out *PeerAuthenticationMethod)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Policy ¶
type Policy struct { v1.TypeMeta `json:",inline"` // +optional v1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` // Spec defines the implementation of this definition. // +optional Spec PolicySpec `json:"spec,omitempty"` }
func (*Policy) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy.
func (*Policy) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*Policy) DeepCopyObject ¶
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type PolicyList ¶
type PolicyList struct { v1.TypeMeta `json:",inline"` // +optional v1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` Items []Policy `json:"items" protobuf:"bytes,2,rep,name=items"` }
PolicyList is a collection of Policies.
func (*PolicyList) DeepCopy ¶
func (in *PolicyList) DeepCopy() *PolicyList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyList.
func (*PolicyList) DeepCopyInto ¶
func (in *PolicyList) DeepCopyInto(out *PolicyList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*PolicyList) DeepCopyObject ¶
func (in *PolicyList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type PolicySpec ¶
type PolicySpec struct { // List rules to select workloads that the policy should be applied on. // If empty, policy will be used on all workloads in the same namespace. Targets []TargetSelector `json:"targets,omitempty"` // List of authentication methods that can be used for peer authentication. // They will be evaluated in order; the first validate one will be used to // set peer identity (source.user) and other peer attributes. If none of // these methods pass, request will be rejected with authentication failed error (401). // Leave the list empty if peer authentication is not required Peers []PeerAuthenticationMethod `json:"peers,omitempty"` // Set this flag to true to accept request (for peer authentication perspective), // even when none of the peer authentication methods defined above satisfied. // Typically, this is used to delay the rejection decision to next layer (e.g // authorization). // This flag is ignored if no authentication defined for peer (peers field is empty). PeerIsOptional bool `json:"peerIsOptional,omitempty"` // List of authentication methods that can be used for origin authentication. // Similar to peers, these will be evaluated in order; the first validate one // will be used to set origin identity and attributes (i.e request.auth.user, // request.auth.issuer etc). If none of these methods pass, request will be // rejected with authentication failed error (401). // A method may be skipped, depends on its trigger rule. If all of these methods // are skipped, origin authentication will be ignored, as if it is not defined. // Leave the list empty if origin authentication is not required. Origins []OriginAuthenticationMethod `json:"origins,omitempty"` // Set this flag to true to accept request (for origin authentication perspective), // even when none of the origin authentication methods defined above satisfied. // Typically, this is used to delay the rejection decision to next layer (e.g // authorization). // This flag is ignored if no authentication defined for origin (origins field is empty). OriginIsOptional bool `json:"originIsOptional,omitempty"` // Define whether peer or origin identity should be use for principal. Default // value is USE_PEER. // If peer (or origin) identity is not available, either because of peer/origin // authentication is not defined, or failed, principal will be left unset. // In other words, binding rule does not affect the decision to accept or // reject request. PrincipalBinding PrincipalBinding `json:"principalBinding,omitempty"` }
func (*PolicySpec) DeepCopy ¶
func (in *PolicySpec) DeepCopy() *PolicySpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicySpec.
func (*PolicySpec) DeepCopyInto ¶
func (in *PolicySpec) DeepCopyInto(out *PolicySpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PortSelector ¶
type PortSelector struct { // Types that are valid to be assigned to Port: // *PortSelector_Number // *PortSelector_Name Number uint32 `json:"number,omitempty"` Name string `json:"name,omitempty"` }
func (*PortSelector) DeepCopy ¶
func (in *PortSelector) DeepCopy() *PortSelector
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PortSelector.
func (*PortSelector) DeepCopyInto ¶
func (in *PortSelector) DeepCopyInto(out *PortSelector)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PrincipalBinding ¶
type PrincipalBinding string
Associates authentication with request principal.
const ( // Principal will be set to the identity from peer authentication. USE_PEER PrincipalBinding = "USE_PEER" // Principal will be set to the identity from origin authentication. USE_ORIGIN PrincipalBinding = "USE_ORIGIN" )
type StringMatch ¶
type StringMatch struct { // Types that are valid to be assigned to MatchType: // *StringMatch_Exact // *StringMatch_Prefix // *StringMatch_Suffix // *StringMatch_Regex Exact string `json:"exact,omitempty"` Prefix string `json:"prefix,omitempty"` Suffix string `json:"suffix,omitempty"` Regex string `json:"regex,omitempty"` }
Describes how to match a given string. Match is case-sensitive.
func (*StringMatch) DeepCopy ¶
func (in *StringMatch) DeepCopy() *StringMatch
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StringMatch.
func (*StringMatch) DeepCopyInto ¶
func (in *StringMatch) DeepCopyInto(out *StringMatch)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type TargetSelector ¶
type TargetSelector struct { // The name must be a short name from the service registry. The // fully qualified domain name will be resolved in a platform specific manner. Name string `json:"name,omitempty"` // Specifies the ports. Note that this is the port(s) exposed by the service, not workload instance ports. // For example, if a service is defined as below, then `8000` should be used, not `9000`. // “`yaml // kind: Service // metadata: // ... // spec: // ports: // - name: http // port: 8000 // targetPort: 9000 // selector: // app: backend // “` //Leave empty to match all ports that are exposed. Ports []PortSelector `json:"ports,omitempty"` }
func (*TargetSelector) DeepCopy ¶
func (in *TargetSelector) DeepCopy() *TargetSelector
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TargetSelector.
func (*TargetSelector) DeepCopyInto ¶
func (in *TargetSelector) DeepCopyInto(out *TargetSelector)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.