Documentation ¶
Overview ¶
Package authz converts Istio RBAC (role-based-access-control) policies (ServiceRole and ServiceRoleBinding) to corresponding filter config that is used by the envoy RBAC filter to enforce access control to the service co-located with envoy. Currently the config is only generated for sidecar node on inbound HTTP/TCP listener. The generation is controlled by RbacConfig (a singleton custom resource with cluster scope). User could disable this plugin by either deleting the ClusterRbacConfig or set the ClusterRbacConfig.mode to OFF. Note: ClusterRbacConfig is not created with default istio installation which means this plugin doesn't generate any RBAC config by default.
Package authz converts Istio authorization policies (ServiceRole and AuthorizationPolicy) to corresponding filter config that is used by the envoy RBAC filter to enforce access control to the service co-located with envoy. Currently the config is only generated for sidecar node on inbound HTTP/TCP listener. The generation is controlled by ClusterRbacConfig (a singleton custom resource with cluster scope). User could disable this plugin by either deleting the ClusterRbacConfig or set the ClusterRbacConfig.mode to OFF. Note: ClusterRbacConfig is not created with default istio installation which means this plugin doesn't generate any RBAC config by default.
Changes from rbac_v2.go compared to rbac.go: * Deprecate ServiceRoleBinding. Only support two CRDs: ServiceRole and AuthorizationPolicy. * Allow multiple bindings and roles in one CRD, i.e. Authorization. * Support workload selector.
Index ¶
- func NewPlugin() plugin.Plugin
- type Plugin
- func (Plugin) OnInboundCluster(in *plugin.InputParams, cluster *xdsapi.Cluster)
- func (Plugin) OnInboundFilterChains(in *plugin.InputParams) []plugin.FilterChain
- func (Plugin) OnInboundListener(in *plugin.InputParams, mutable *plugin.MutableObjects) error
- func (Plugin) OnInboundRouteConfiguration(in *plugin.InputParams, route *xdsapi.RouteConfiguration)
- func (Plugin) OnOutboundCluster(in *plugin.InputParams, cluster *xdsapi.Cluster)
- func (Plugin) OnOutboundListener(in *plugin.InputParams, mutable *plugin.MutableObjects) error
- func (Plugin) OnOutboundRouteConfiguration(in *plugin.InputParams, route *xdsapi.RouteConfiguration)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Plugin ¶
type Plugin struct{}
Plugin implements Istio RBAC authz
func (Plugin) OnInboundCluster ¶
func (Plugin) OnInboundCluster(in *plugin.InputParams, cluster *xdsapi.Cluster)
OnInboundCluster implements the Plugin interface method.
func (Plugin) OnInboundFilterChains ¶
func (Plugin) OnInboundFilterChains(in *plugin.InputParams) []plugin.FilterChain
OnInboundFilterChains is called whenever a plugin needs to setup the filter chains, including relevant filter chain configuration.
func (Plugin) OnInboundListener ¶
func (Plugin) OnInboundListener(in *plugin.InputParams, mutable *plugin.MutableObjects) error
OnInboundListener is called whenever a new listener is added to the LDS output for a given service Can be used to add additional filters (e.g., mixer filter) or add more stuff to the HTTP connection manager on the inbound path
func (Plugin) OnInboundRouteConfiguration ¶
func (Plugin) OnInboundRouteConfiguration(in *plugin.InputParams, route *xdsapi.RouteConfiguration)
OnInboundRouteConfiguration implements the Plugin interface method.
func (Plugin) OnOutboundCluster ¶
func (Plugin) OnOutboundCluster(in *plugin.InputParams, cluster *xdsapi.Cluster)
OnOutboundCluster implements the Plugin interface method.
func (Plugin) OnOutboundListener ¶
func (Plugin) OnOutboundListener(in *plugin.InputParams, mutable *plugin.MutableObjects) error
OnOutboundListener is called whenever a new outbound listener is added to the LDS output for a given service Can be used to add additional filters on the outbound path
func (Plugin) OnOutboundRouteConfiguration ¶
func (Plugin) OnOutboundRouteConfiguration(in *plugin.InputParams, route *xdsapi.RouteConfiguration)
OnOutboundRouteConfiguration implements the Plugin interface method.