authz

package
v0.0.0-...-1a56975 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 23, 2019 License: Apache-2.0 Imports: 22 Imported by: 0

Documentation

Overview

Package authz converts Istio RBAC (role-based-access-control) policies (ServiceRole and ServiceRoleBinding) to corresponding filter config that is used by the envoy RBAC filter to enforce access control to the service co-located with envoy. Currently the config is only generated for sidecar node on inbound HTTP/TCP listener. The generation is controlled by RbacConfig (a singleton custom resource with cluster scope). User could disable this plugin by either deleting the ClusterRbacConfig or set the ClusterRbacConfig.mode to OFF. Note: ClusterRbacConfig is not created with default istio installation which means this plugin doesn't generate any RBAC config by default.

Package authz converts Istio authorization policies (ServiceRole and AuthorizationPolicy) to corresponding filter config that is used by the envoy RBAC filter to enforce access control to the service co-located with envoy. Currently the config is only generated for sidecar node on inbound HTTP/TCP listener. The generation is controlled by ClusterRbacConfig (a singleton custom resource with cluster scope). User could disable this plugin by either deleting the ClusterRbacConfig or set the ClusterRbacConfig.mode to OFF. Note: ClusterRbacConfig is not created with default istio installation which means this plugin doesn't generate any RBAC config by default.

Changes from rbac_v2.go compared to rbac.go: * Deprecate ServiceRoleBinding. Only support two CRDs: ServiceRole and AuthorizationPolicy. * Allow multiple bindings and roles in one CRD, i.e. Authorization. * Support workload selector.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func NewPlugin

func NewPlugin() plugin.Plugin

NewPlugin returns an instance of the authz plugin

Types

type Plugin

type Plugin struct{}

Plugin implements Istio RBAC authz

func (Plugin) OnInboundCluster

func (Plugin) OnInboundCluster(in *plugin.InputParams, cluster *xdsapi.Cluster)

OnInboundCluster implements the Plugin interface method.

func (Plugin) OnInboundFilterChains

func (Plugin) OnInboundFilterChains(in *plugin.InputParams) []plugin.FilterChain

OnInboundFilterChains is called whenever a plugin needs to setup the filter chains, including relevant filter chain configuration.

func (Plugin) OnInboundListener

func (Plugin) OnInboundListener(in *plugin.InputParams, mutable *plugin.MutableObjects) error

OnInboundListener is called whenever a new listener is added to the LDS output for a given service Can be used to add additional filters (e.g., mixer filter) or add more stuff to the HTTP connection manager on the inbound path

func (Plugin) OnInboundRouteConfiguration

func (Plugin) OnInboundRouteConfiguration(in *plugin.InputParams, route *xdsapi.RouteConfiguration)

OnInboundRouteConfiguration implements the Plugin interface method.

func (Plugin) OnOutboundCluster

func (Plugin) OnOutboundCluster(in *plugin.InputParams, cluster *xdsapi.Cluster)

OnOutboundCluster implements the Plugin interface method.

func (Plugin) OnOutboundListener

func (Plugin) OnOutboundListener(in *plugin.InputParams, mutable *plugin.MutableObjects) error

OnOutboundListener is called whenever a new outbound listener is added to the LDS output for a given service Can be used to add additional filters on the outbound path

func (Plugin) OnOutboundRouteConfiguration

func (Plugin) OnOutboundRouteConfiguration(in *plugin.InputParams, route *xdsapi.RouteConfiguration)

OnOutboundRouteConfiguration implements the Plugin interface method.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL