Documentation ¶
Overview ¶
Code generated by protoc-gen-deepcopy. DO NOT EDIT.
Code generated by protoc-gen-jsonshim. DO NOT EDIT.
Code generated by protoc-gen-deepcopy. DO NOT EDIT.
Code generated by protoc-gen-jsonshim. DO NOT EDIT.
Code generated by protoc-gen-deepcopy. DO NOT EDIT.
Code generated by protoc-gen-jsonshim. DO NOT EDIT.
Index ¶
- Variables
- type AuthorizationPolicy
- func (in *AuthorizationPolicy) DeepCopy() *AuthorizationPolicy
- func (in *AuthorizationPolicy) DeepCopyInterface() interface{}
- func (in *AuthorizationPolicy) DeepCopyInto(out *AuthorizationPolicy)
- func (*AuthorizationPolicy) Descriptor() ([]byte, []int)deprecated
- func (x *AuthorizationPolicy) GetAction() AuthorizationPolicy_Action
- func (m *AuthorizationPolicy) GetActionDetail() isAuthorizationPolicy_ActionDetail
- func (x *AuthorizationPolicy) GetProvider() *AuthorizationPolicy_ExtensionProvider
- func (x *AuthorizationPolicy) GetRules() []*Rule
- func (x *AuthorizationPolicy) GetSelector() *v1beta1.WorkloadSelector
- func (x *AuthorizationPolicy) GetTargetRef() *v1beta1.PolicyTargetReference
- func (x *AuthorizationPolicy) GetTargetRefs() []*v1beta1.PolicyTargetReference
- func (this *AuthorizationPolicy) MarshalJSON() ([]byte, error)
- func (*AuthorizationPolicy) ProtoMessage()
- func (x *AuthorizationPolicy) ProtoReflect() protoreflect.Message
- func (x *AuthorizationPolicy) Reset()
- func (x *AuthorizationPolicy) String() string
- func (this *AuthorizationPolicy) UnmarshalJSON(b []byte) error
- type AuthorizationPolicy_Action
- func (AuthorizationPolicy_Action) Descriptor() protoreflect.EnumDescriptor
- func (x AuthorizationPolicy_Action) Enum() *AuthorizationPolicy_Action
- func (AuthorizationPolicy_Action) EnumDescriptor() ([]byte, []int)deprecated
- func (x AuthorizationPolicy_Action) Number() protoreflect.EnumNumber
- func (x AuthorizationPolicy_Action) String() string
- func (AuthorizationPolicy_Action) Type() protoreflect.EnumType
- type AuthorizationPolicy_ExtensionProvider
- func (in *AuthorizationPolicy_ExtensionProvider) DeepCopy() *AuthorizationPolicy_ExtensionProvider
- func (in *AuthorizationPolicy_ExtensionProvider) DeepCopyInterface() interface{}
- func (in *AuthorizationPolicy_ExtensionProvider) DeepCopyInto(out *AuthorizationPolicy_ExtensionProvider)
- func (*AuthorizationPolicy_ExtensionProvider) Descriptor() ([]byte, []int)deprecated
- func (x *AuthorizationPolicy_ExtensionProvider) GetName() string
- func (this *AuthorizationPolicy_ExtensionProvider) MarshalJSON() ([]byte, error)
- func (*AuthorizationPolicy_ExtensionProvider) ProtoMessage()
- func (x *AuthorizationPolicy_ExtensionProvider) ProtoReflect() protoreflect.Message
- func (x *AuthorizationPolicy_ExtensionProvider) Reset()
- func (x *AuthorizationPolicy_ExtensionProvider) String() string
- func (this *AuthorizationPolicy_ExtensionProvider) UnmarshalJSON(b []byte) error
- type AuthorizationPolicy_Provider
- type ClaimToHeader
- func (in *ClaimToHeader) DeepCopy() *ClaimToHeader
- func (in *ClaimToHeader) DeepCopyInterface() interface{}
- func (in *ClaimToHeader) DeepCopyInto(out *ClaimToHeader)
- func (*ClaimToHeader) Descriptor() ([]byte, []int)deprecated
- func (x *ClaimToHeader) GetClaim() string
- func (x *ClaimToHeader) GetHeader() string
- func (this *ClaimToHeader) MarshalJSON() ([]byte, error)
- func (*ClaimToHeader) ProtoMessage()
- func (x *ClaimToHeader) ProtoReflect() protoreflect.Message
- func (x *ClaimToHeader) Reset()
- func (x *ClaimToHeader) String() string
- func (this *ClaimToHeader) UnmarshalJSON(b []byte) error
- type Condition
- func (in *Condition) DeepCopy() *Condition
- func (in *Condition) DeepCopyInterface() interface{}
- func (in *Condition) DeepCopyInto(out *Condition)
- func (*Condition) Descriptor() ([]byte, []int)deprecated
- func (x *Condition) GetKey() string
- func (x *Condition) GetNotValues() []string
- func (x *Condition) GetValues() []string
- func (this *Condition) MarshalJSON() ([]byte, error)
- func (*Condition) ProtoMessage()
- func (x *Condition) ProtoReflect() protoreflect.Message
- func (x *Condition) Reset()
- func (x *Condition) String() string
- func (this *Condition) UnmarshalJSON(b []byte) error
- type JWTHeader
- func (in *JWTHeader) DeepCopy() *JWTHeader
- func (in *JWTHeader) DeepCopyInterface() interface{}
- func (in *JWTHeader) DeepCopyInto(out *JWTHeader)
- func (*JWTHeader) Descriptor() ([]byte, []int)deprecated
- func (x *JWTHeader) GetName() string
- func (x *JWTHeader) GetPrefix() string
- func (this *JWTHeader) MarshalJSON() ([]byte, error)
- func (*JWTHeader) ProtoMessage()
- func (x *JWTHeader) ProtoReflect() protoreflect.Message
- func (x *JWTHeader) Reset()
- func (x *JWTHeader) String() string
- func (this *JWTHeader) UnmarshalJSON(b []byte) error
- type JWTRule
- func (in *JWTRule) DeepCopy() *JWTRule
- func (in *JWTRule) DeepCopyInterface() interface{}
- func (in *JWTRule) DeepCopyInto(out *JWTRule)
- func (*JWTRule) Descriptor() ([]byte, []int)deprecated
- func (x *JWTRule) GetAudiences() []string
- func (x *JWTRule) GetForwardOriginalToken() bool
- func (x *JWTRule) GetFromCookies() []string
- func (x *JWTRule) GetFromHeaders() []*JWTHeader
- func (x *JWTRule) GetFromParams() []string
- func (x *JWTRule) GetIssuer() string
- func (x *JWTRule) GetJwks() string
- func (x *JWTRule) GetJwksUri() string
- func (x *JWTRule) GetOutputClaimToHeaders() []*ClaimToHeader
- func (x *JWTRule) GetOutputPayloadToHeader() string
- func (x *JWTRule) GetTimeout() *duration.Duration
- func (this *JWTRule) MarshalJSON() ([]byte, error)
- func (*JWTRule) ProtoMessage()
- func (x *JWTRule) ProtoReflect() protoreflect.Message
- func (x *JWTRule) Reset()
- func (x *JWTRule) String() string
- func (this *JWTRule) UnmarshalJSON(b []byte) error
- type Operation
- func (in *Operation) DeepCopy() *Operation
- func (in *Operation) DeepCopyInterface() interface{}
- func (in *Operation) DeepCopyInto(out *Operation)
- func (*Operation) Descriptor() ([]byte, []int)deprecated
- func (x *Operation) GetHosts() []string
- func (x *Operation) GetMethods() []string
- func (x *Operation) GetNotHosts() []string
- func (x *Operation) GetNotMethods() []string
- func (x *Operation) GetNotPaths() []string
- func (x *Operation) GetNotPorts() []string
- func (x *Operation) GetPaths() []string
- func (x *Operation) GetPorts() []string
- func (this *Operation) MarshalJSON() ([]byte, error)
- func (*Operation) ProtoMessage()
- func (x *Operation) ProtoReflect() protoreflect.Message
- func (x *Operation) Reset()
- func (x *Operation) String() string
- func (this *Operation) UnmarshalJSON(b []byte) error
- type PeerAuthentication
- func (in *PeerAuthentication) DeepCopy() *PeerAuthentication
- func (in *PeerAuthentication) DeepCopyInterface() interface{}
- func (in *PeerAuthentication) DeepCopyInto(out *PeerAuthentication)
- func (*PeerAuthentication) Descriptor() ([]byte, []int)deprecated
- func (x *PeerAuthentication) GetMtls() *PeerAuthentication_MutualTLS
- func (x *PeerAuthentication) GetPortLevelMtls() map[uint32]*PeerAuthentication_MutualTLS
- func (x *PeerAuthentication) GetSelector() *v1beta1.WorkloadSelector
- func (this *PeerAuthentication) MarshalJSON() ([]byte, error)
- func (*PeerAuthentication) ProtoMessage()
- func (x *PeerAuthentication) ProtoReflect() protoreflect.Message
- func (x *PeerAuthentication) Reset()
- func (x *PeerAuthentication) String() string
- func (this *PeerAuthentication) UnmarshalJSON(b []byte) error
- type PeerAuthentication_MutualTLS
- func (in *PeerAuthentication_MutualTLS) DeepCopy() *PeerAuthentication_MutualTLS
- func (in *PeerAuthentication_MutualTLS) DeepCopyInterface() interface{}
- func (in *PeerAuthentication_MutualTLS) DeepCopyInto(out *PeerAuthentication_MutualTLS)
- func (*PeerAuthentication_MutualTLS) Descriptor() ([]byte, []int)deprecated
- func (x *PeerAuthentication_MutualTLS) GetMode() PeerAuthentication_MutualTLS_Mode
- func (this *PeerAuthentication_MutualTLS) MarshalJSON() ([]byte, error)
- func (*PeerAuthentication_MutualTLS) ProtoMessage()
- func (x *PeerAuthentication_MutualTLS) ProtoReflect() protoreflect.Message
- func (x *PeerAuthentication_MutualTLS) Reset()
- func (x *PeerAuthentication_MutualTLS) String() string
- func (this *PeerAuthentication_MutualTLS) UnmarshalJSON(b []byte) error
- type PeerAuthentication_MutualTLS_Mode
- func (PeerAuthentication_MutualTLS_Mode) Descriptor() protoreflect.EnumDescriptor
- func (x PeerAuthentication_MutualTLS_Mode) Enum() *PeerAuthentication_MutualTLS_Mode
- func (PeerAuthentication_MutualTLS_Mode) EnumDescriptor() ([]byte, []int)deprecated
- func (x PeerAuthentication_MutualTLS_Mode) Number() protoreflect.EnumNumber
- func (x PeerAuthentication_MutualTLS_Mode) String() string
- func (PeerAuthentication_MutualTLS_Mode) Type() protoreflect.EnumType
- type RequestAuthentication
- func (in *RequestAuthentication) DeepCopy() *RequestAuthentication
- func (in *RequestAuthentication) DeepCopyInterface() interface{}
- func (in *RequestAuthentication) DeepCopyInto(out *RequestAuthentication)
- func (*RequestAuthentication) Descriptor() ([]byte, []int)deprecated
- func (x *RequestAuthentication) GetJwtRules() []*JWTRule
- func (x *RequestAuthentication) GetSelector() *v1beta1.WorkloadSelector
- func (x *RequestAuthentication) GetTargetRef() *v1beta1.PolicyTargetReference
- func (x *RequestAuthentication) GetTargetRefs() []*v1beta1.PolicyTargetReference
- func (this *RequestAuthentication) MarshalJSON() ([]byte, error)
- func (*RequestAuthentication) ProtoMessage()
- func (x *RequestAuthentication) ProtoReflect() protoreflect.Message
- func (x *RequestAuthentication) Reset()
- func (x *RequestAuthentication) String() string
- func (this *RequestAuthentication) UnmarshalJSON(b []byte) error
- type Rule
- func (in *Rule) DeepCopy() *Rule
- func (in *Rule) DeepCopyInterface() interface{}
- func (in *Rule) DeepCopyInto(out *Rule)
- func (*Rule) Descriptor() ([]byte, []int)deprecated
- func (x *Rule) GetFrom() []*Rule_From
- func (x *Rule) GetTo() []*Rule_To
- func (x *Rule) GetWhen() []*Condition
- func (this *Rule) MarshalJSON() ([]byte, error)
- func (*Rule) ProtoMessage()
- func (x *Rule) ProtoReflect() protoreflect.Message
- func (x *Rule) Reset()
- func (x *Rule) String() string
- func (this *Rule) UnmarshalJSON(b []byte) error
- type Rule_From
- func (in *Rule_From) DeepCopy() *Rule_From
- func (in *Rule_From) DeepCopyInterface() interface{}
- func (in *Rule_From) DeepCopyInto(out *Rule_From)
- func (*Rule_From) Descriptor() ([]byte, []int)deprecated
- func (x *Rule_From) GetSource() *Source
- func (this *Rule_From) MarshalJSON() ([]byte, error)
- func (*Rule_From) ProtoMessage()
- func (x *Rule_From) ProtoReflect() protoreflect.Message
- func (x *Rule_From) Reset()
- func (x *Rule_From) String() string
- func (this *Rule_From) UnmarshalJSON(b []byte) error
- type Rule_To
- func (in *Rule_To) DeepCopy() *Rule_To
- func (in *Rule_To) DeepCopyInterface() interface{}
- func (in *Rule_To) DeepCopyInto(out *Rule_To)
- func (*Rule_To) Descriptor() ([]byte, []int)deprecated
- func (x *Rule_To) GetOperation() *Operation
- func (this *Rule_To) MarshalJSON() ([]byte, error)
- func (*Rule_To) ProtoMessage()
- func (x *Rule_To) ProtoReflect() protoreflect.Message
- func (x *Rule_To) Reset()
- func (x *Rule_To) String() string
- func (this *Rule_To) UnmarshalJSON(b []byte) error
- type Source
- func (in *Source) DeepCopy() *Source
- func (in *Source) DeepCopyInterface() interface{}
- func (in *Source) DeepCopyInto(out *Source)
- func (*Source) Descriptor() ([]byte, []int)deprecated
- func (x *Source) GetIpBlocks() []string
- func (x *Source) GetNamespaces() []string
- func (x *Source) GetNotIpBlocks() []string
- func (x *Source) GetNotNamespaces() []string
- func (x *Source) GetNotPrincipals() []string
- func (x *Source) GetNotRemoteIpBlocks() []string
- func (x *Source) GetNotRequestPrincipals() []string
- func (x *Source) GetPrincipals() []string
- func (x *Source) GetRemoteIpBlocks() []string
- func (x *Source) GetRequestPrincipals() []string
- func (this *Source) MarshalJSON() ([]byte, error)
- func (*Source) ProtoMessage()
- func (x *Source) ProtoReflect() protoreflect.Message
- func (x *Source) Reset()
- func (x *Source) String() string
- func (this *Source) UnmarshalJSON(b []byte) error
Constants ¶
This section is empty.
Variables ¶
var ( AuthorizationPolicy_Action_name = map[int32]string{ 0: "ALLOW", 1: "DENY", 2: "AUDIT", 3: "CUSTOM", } AuthorizationPolicy_Action_value = map[string]int32{ "ALLOW": 0, "DENY": 1, "AUDIT": 2, "CUSTOM": 3, } )
Enum value maps for AuthorizationPolicy_Action.
var ( AuthorizationPolicyMarshaler = &jsonpb.Marshaler{} AuthorizationPolicyUnmarshaler = &jsonpb.Unmarshaler{AllowUnknownFields: true} )
var ( PeerAuthentication_MutualTLS_Mode_name = map[int32]string{ 0: "UNSET", 1: "DISABLE", 2: "PERMISSIVE", 3: "STRICT", } PeerAuthentication_MutualTLS_Mode_value = map[string]int32{ "UNSET": 0, "DISABLE": 1, "PERMISSIVE": 2, "STRICT": 3, } )
Enum value maps for PeerAuthentication_MutualTLS_Mode.
var ( PeerAuthenticationMarshaler = &jsonpb.Marshaler{} PeerAuthenticationUnmarshaler = &jsonpb.Unmarshaler{AllowUnknownFields: true} )
var ( RequestAuthenticationMarshaler = &jsonpb.Marshaler{} RequestAuthenticationUnmarshaler = &jsonpb.Unmarshaler{AllowUnknownFields: true} )
var File_security_v1beta1_peer_authentication_proto protoreflect.FileDescriptor
var File_security_v1beta1_request_authentication_proto protoreflect.FileDescriptor
Functions ¶
This section is empty.
Types ¶
type AuthorizationPolicy ¶
type AuthorizationPolicy struct { // Optional. The selector decides where to apply the authorization policy. The selector will match with workloads // in the same namespace as the authorization policy. If the authorization policy is in the root namespace, the selector // will additionally match with workloads in all namespaces. // // If the selector and the targetRef are not set, the selector will match all workloads. // // At most one of `selector` or `targetRefs` can be set for a given policy. Selector *v1beta1.WorkloadSelector `protobuf:"bytes,1,opt,name=selector,proto3" json:"selector,omitempty"` // $hide_from_docs TargetRef *v1beta1.PolicyTargetReference `protobuf:"bytes,5,opt,name=targetRef,proto3" json:"targetRef,omitempty"` // Optional. The targetRefs specifies a list of resources the policy should be // applied to. The targeted resources specified will determine which workloads // the policy applies to. // // Currently, the following resource attachment types are supported: // * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace. // * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints. // // If not set, the policy is applied as defined by the selector. // At most one of the selector and targetRefs can be set. // // NOTE: If you are using the `targetRefs` field in a multi-revision environment with Istio versions prior to 1.22, // it is highly recommended that you pin the policy to a revision running 1.22+ via the `istio.io/rev` label. // This is to prevent proxies connected to older control planes (that don't know about the `targetRefs` field) // from misinterpreting the policy as namespace-wide during the upgrade process. // // NOTE: Waypoint proxies are required to use this field for policies to apply; `selector` policies will be ignored. TargetRefs []*v1beta1.PolicyTargetReference `protobuf:"bytes,6,rep,name=targetRefs,proto3" json:"targetRefs,omitempty"` // Optional. A list of rules to match the request. A match occurs when at least one rule matches the request. // // If not set, the match will never occur. This is equivalent to setting a default of deny for the target workloads if // the action is ALLOW. Rules []*Rule `protobuf:"bytes,2,rep,name=rules,proto3" json:"rules,omitempty"` // Optional. The action to take if the request is matched with the rules. Default is ALLOW if not specified. Action AuthorizationPolicy_Action `protobuf:"varint,3,opt,name=action,proto3,enum=istio.security.v1beta1.AuthorizationPolicy_Action" json:"action,omitempty"` // Types that are assignable to ActionDetail: // // *AuthorizationPolicy_Provider ActionDetail isAuthorizationPolicy_ActionDetail `protobuf_oneof:"action_detail"` // contains filtered or unexported fields }
AuthorizationPolicy enables access control on workloads.
<!-- crd generation tags +cue-gen:AuthorizationPolicy:groupName:security.istio.io +cue-gen:AuthorizationPolicy:versions:v1beta1,v1 +cue-gen:AuthorizationPolicy:storageVersion +cue-gen:AuthorizationPolicy:annotations:helm.sh/resource-policy=keep +cue-gen:AuthorizationPolicy:labels:app=istio-pilot,chart=istio,istio=security,heritage=Tiller,release=istio +cue-gen:AuthorizationPolicy:subresource:status +cue-gen:AuthorizationPolicy:scope:Namespaced +cue-gen:AuthorizationPolicy:resource:categories=istio-io,security-istio-io,shortNames=ap,plural=authorizationpolicies +cue-gen:AuthorizationPolicy:preserveUnknownFields:false +cue-gen:AuthorizationPolicy:printerColumn:name=Action,type=string,JSONPath=.spec.action,description="The operation to take." +cue-gen:AuthorizationPolicy:printerColumn:name=Age,type=date,JSONPath=.metadata.creationTimestamp,description="CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata" -->
<!-- go code generation tags +kubetype-gen +kubetype-gen:groupVersion=security.istio.io/v1beta1 +genclient +k8s:deepcopy-gen=true -->
func (*AuthorizationPolicy) DeepCopy ¶
func (in *AuthorizationPolicy) DeepCopy() *AuthorizationPolicy
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthorizationPolicy. Required by controller-gen.
func (*AuthorizationPolicy) DeepCopyInterface ¶
func (in *AuthorizationPolicy) DeepCopyInterface() interface{}
DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new AuthorizationPolicy. Required by controller-gen.
func (*AuthorizationPolicy) DeepCopyInto ¶
func (in *AuthorizationPolicy) DeepCopyInto(out *AuthorizationPolicy)
DeepCopyInto supports using AuthorizationPolicy within kubernetes types, where deepcopy-gen is used.
func (*AuthorizationPolicy) Descriptor
deprecated
func (*AuthorizationPolicy) Descriptor() ([]byte, []int)
Deprecated: Use AuthorizationPolicy.ProtoReflect.Descriptor instead.
func (*AuthorizationPolicy) GetAction ¶
func (x *AuthorizationPolicy) GetAction() AuthorizationPolicy_Action
func (*AuthorizationPolicy) GetActionDetail ¶
func (m *AuthorizationPolicy) GetActionDetail() isAuthorizationPolicy_ActionDetail
func (*AuthorizationPolicy) GetProvider ¶
func (x *AuthorizationPolicy) GetProvider() *AuthorizationPolicy_ExtensionProvider
func (*AuthorizationPolicy) GetRules ¶
func (x *AuthorizationPolicy) GetRules() []*Rule
func (*AuthorizationPolicy) GetSelector ¶
func (x *AuthorizationPolicy) GetSelector() *v1beta1.WorkloadSelector
func (*AuthorizationPolicy) GetTargetRef ¶ added in v1.20.0
func (x *AuthorizationPolicy) GetTargetRef() *v1beta1.PolicyTargetReference
func (*AuthorizationPolicy) GetTargetRefs ¶ added in v1.22.0
func (x *AuthorizationPolicy) GetTargetRefs() []*v1beta1.PolicyTargetReference
func (*AuthorizationPolicy) MarshalJSON ¶
func (this *AuthorizationPolicy) MarshalJSON() ([]byte, error)
MarshalJSON is a custom marshaler for AuthorizationPolicy
func (*AuthorizationPolicy) ProtoMessage ¶
func (*AuthorizationPolicy) ProtoMessage()
func (*AuthorizationPolicy) ProtoReflect ¶
func (x *AuthorizationPolicy) ProtoReflect() protoreflect.Message
func (*AuthorizationPolicy) Reset ¶
func (x *AuthorizationPolicy) Reset()
func (*AuthorizationPolicy) String ¶
func (x *AuthorizationPolicy) String() string
func (*AuthorizationPolicy) UnmarshalJSON ¶
func (this *AuthorizationPolicy) UnmarshalJSON(b []byte) error
UnmarshalJSON is a custom unmarshaler for AuthorizationPolicy
type AuthorizationPolicy_Action ¶
type AuthorizationPolicy_Action int32
Action specifies the operation to take.
const ( // Allow a request only if it matches the rules. This is the default type. AuthorizationPolicy_ALLOW AuthorizationPolicy_Action = 0 // Deny a request if it matches any of the rules. AuthorizationPolicy_DENY AuthorizationPolicy_Action = 1 // Audit a request if it matches any of the rules. AuthorizationPolicy_AUDIT AuthorizationPolicy_Action = 2 // The CUSTOM action allows an extension to handle the user request if the matching rules evaluate to true. // The extension is evaluated independently and before the native ALLOW and DENY actions. When used together, A request // is allowed if and only if all the actions return allow, in other words, the extension cannot bypass the // authorization decision made by ALLOW and DENY action. // Extension behavior is defined by the named providers declared in MeshConfig. The authorization policy refers to // the extension by specifying the name of the provider. // One example use case of the extension is to integrate with a custom external authorization system to delegate // the authorization decision to it. // // The following authorization policy applies to an ingress gateway and delegates the authorization check to a named extension // `my-custom-authz` if the request path has prefix `/admin/`. // // “`yaml // apiVersion: security.istio.io/v1 // kind: AuthorizationPolicy // metadata: // // name: ext-authz // namespace: istio-system // // spec: // // selector: // matchLabels: // app: istio-ingressgateway // action: CUSTOM // provider: // name: "my-custom-authz" // rules: // - to: // - operation: // paths: ["/admin/*"] // // “` AuthorizationPolicy_CUSTOM AuthorizationPolicy_Action = 3 )
func (AuthorizationPolicy_Action) Descriptor ¶
func (AuthorizationPolicy_Action) Descriptor() protoreflect.EnumDescriptor
func (AuthorizationPolicy_Action) Enum ¶
func (x AuthorizationPolicy_Action) Enum() *AuthorizationPolicy_Action
func (AuthorizationPolicy_Action) EnumDescriptor
deprecated
func (AuthorizationPolicy_Action) EnumDescriptor() ([]byte, []int)
Deprecated: Use AuthorizationPolicy_Action.Descriptor instead.
func (AuthorizationPolicy_Action) Number ¶
func (x AuthorizationPolicy_Action) Number() protoreflect.EnumNumber
func (AuthorizationPolicy_Action) String ¶
func (x AuthorizationPolicy_Action) String() string
func (AuthorizationPolicy_Action) Type ¶
func (AuthorizationPolicy_Action) Type() protoreflect.EnumType
type AuthorizationPolicy_ExtensionProvider ¶
type AuthorizationPolicy_ExtensionProvider struct { // Specifies the name of the extension provider. The list of available providers is defined in the MeshConfig. // Note, currently at most 1 extension provider is allowed per workload. Different workloads can use different extension provider. Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` // contains filtered or unexported fields }
func (*AuthorizationPolicy_ExtensionProvider) DeepCopy ¶
func (in *AuthorizationPolicy_ExtensionProvider) DeepCopy() *AuthorizationPolicy_ExtensionProvider
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthorizationPolicy_ExtensionProvider. Required by controller-gen.
func (*AuthorizationPolicy_ExtensionProvider) DeepCopyInterface ¶
func (in *AuthorizationPolicy_ExtensionProvider) DeepCopyInterface() interface{}
DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new AuthorizationPolicy_ExtensionProvider. Required by controller-gen.
func (*AuthorizationPolicy_ExtensionProvider) DeepCopyInto ¶
func (in *AuthorizationPolicy_ExtensionProvider) DeepCopyInto(out *AuthorizationPolicy_ExtensionProvider)
DeepCopyInto supports using AuthorizationPolicy_ExtensionProvider within kubernetes types, where deepcopy-gen is used.
func (*AuthorizationPolicy_ExtensionProvider) Descriptor
deprecated
func (*AuthorizationPolicy_ExtensionProvider) Descriptor() ([]byte, []int)
Deprecated: Use AuthorizationPolicy_ExtensionProvider.ProtoReflect.Descriptor instead.
func (*AuthorizationPolicy_ExtensionProvider) GetName ¶
func (x *AuthorizationPolicy_ExtensionProvider) GetName() string
func (*AuthorizationPolicy_ExtensionProvider) MarshalJSON ¶
func (this *AuthorizationPolicy_ExtensionProvider) MarshalJSON() ([]byte, error)
MarshalJSON is a custom marshaler for AuthorizationPolicy_ExtensionProvider
func (*AuthorizationPolicy_ExtensionProvider) ProtoMessage ¶
func (*AuthorizationPolicy_ExtensionProvider) ProtoMessage()
func (*AuthorizationPolicy_ExtensionProvider) ProtoReflect ¶
func (x *AuthorizationPolicy_ExtensionProvider) ProtoReflect() protoreflect.Message
func (*AuthorizationPolicy_ExtensionProvider) Reset ¶
func (x *AuthorizationPolicy_ExtensionProvider) Reset()
func (*AuthorizationPolicy_ExtensionProvider) String ¶
func (x *AuthorizationPolicy_ExtensionProvider) String() string
func (*AuthorizationPolicy_ExtensionProvider) UnmarshalJSON ¶
func (this *AuthorizationPolicy_ExtensionProvider) UnmarshalJSON(b []byte) error
UnmarshalJSON is a custom unmarshaler for AuthorizationPolicy_ExtensionProvider
type AuthorizationPolicy_Provider ¶
type AuthorizationPolicy_Provider struct { // Specifies detailed configuration of the CUSTOM action. Must be used only with CUSTOM action. Provider *AuthorizationPolicy_ExtensionProvider `protobuf:"bytes,4,opt,name=provider,proto3,oneof"` }
type ClaimToHeader ¶
type ClaimToHeader struct { // The name of the header to be created. The header will be overridden if it already exists in the request. // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:Pattern=^[-_A-Za-z0-9]+$ Header string `protobuf:"bytes,1,opt,name=header,proto3" json:"header,omitempty"` // The name of the claim to be copied from. Only claim of type string/int/bool is supported. // The header will not be there if the claim does not exist or the type of the claim is not supported. // +kubebuilder:validation:MinLength=1 Claim string `protobuf:"bytes,2,opt,name=claim,proto3" json:"claim,omitempty"` // contains filtered or unexported fields }
This message specifies the detail for copying claim to header.
func (*ClaimToHeader) DeepCopy ¶
func (in *ClaimToHeader) DeepCopy() *ClaimToHeader
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClaimToHeader. Required by controller-gen.
func (*ClaimToHeader) DeepCopyInterface ¶
func (in *ClaimToHeader) DeepCopyInterface() interface{}
DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new ClaimToHeader. Required by controller-gen.
func (*ClaimToHeader) DeepCopyInto ¶
func (in *ClaimToHeader) DeepCopyInto(out *ClaimToHeader)
DeepCopyInto supports using ClaimToHeader within kubernetes types, where deepcopy-gen is used.
func (*ClaimToHeader) Descriptor
deprecated
func (*ClaimToHeader) Descriptor() ([]byte, []int)
Deprecated: Use ClaimToHeader.ProtoReflect.Descriptor instead.
func (*ClaimToHeader) GetClaim ¶
func (x *ClaimToHeader) GetClaim() string
func (*ClaimToHeader) GetHeader ¶
func (x *ClaimToHeader) GetHeader() string
func (*ClaimToHeader) MarshalJSON ¶
func (this *ClaimToHeader) MarshalJSON() ([]byte, error)
MarshalJSON is a custom marshaler for ClaimToHeader
func (*ClaimToHeader) ProtoMessage ¶
func (*ClaimToHeader) ProtoMessage()
func (*ClaimToHeader) ProtoReflect ¶
func (x *ClaimToHeader) ProtoReflect() protoreflect.Message
func (*ClaimToHeader) Reset ¶
func (x *ClaimToHeader) Reset()
func (*ClaimToHeader) String ¶
func (x *ClaimToHeader) String() string
func (*ClaimToHeader) UnmarshalJSON ¶
func (this *ClaimToHeader) UnmarshalJSON(b []byte) error
UnmarshalJSON is a custom unmarshaler for ClaimToHeader
type Condition ¶
type Condition struct { // The name of an Istio attribute. // See the [full list of supported attributes](https://istio.io/docs/reference/config/security/conditions/). Key string `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"` // Optional. A list of allowed values for the attribute. // Note: at least one of `values` or `notValues` must be set. Values []string `protobuf:"bytes,2,rep,name=values,proto3" json:"values,omitempty"` // Optional. A list of negative match of values for the attribute. // Note: at least one of `values` or `notValues` must be set. NotValues []string `protobuf:"bytes,3,rep,name=not_values,json=notValues,proto3" json:"not_values,omitempty"` // contains filtered or unexported fields }
Condition specifies additional required attributes.
func (*Condition) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition. Required by controller-gen.
func (*Condition) DeepCopyInterface ¶
func (in *Condition) DeepCopyInterface() interface{}
DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new Condition. Required by controller-gen.
func (*Condition) DeepCopyInto ¶
DeepCopyInto supports using Condition within kubernetes types, where deepcopy-gen is used.
func (*Condition) Descriptor
deprecated
func (*Condition) GetNotValues ¶
func (*Condition) MarshalJSON ¶
MarshalJSON is a custom marshaler for Condition
func (*Condition) ProtoMessage ¶
func (*Condition) ProtoMessage()
func (*Condition) ProtoReflect ¶
func (x *Condition) ProtoReflect() protoreflect.Message
func (*Condition) UnmarshalJSON ¶
UnmarshalJSON is a custom unmarshaler for Condition
type JWTHeader ¶
type JWTHeader struct { // The HTTP header name. // +kubebuilder:validation:MinLength=1 Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` // The prefix that should be stripped before decoding the token. // For example, for `Authorization: Bearer <token>`, prefix=`Bearer` with a space at the end. // If the header doesn't have this exact prefix, it is considered invalid. Prefix string `protobuf:"bytes,2,opt,name=prefix,proto3" json:"prefix,omitempty"` // contains filtered or unexported fields }
This message specifies a header location to extract JWT token.
func (*JWTHeader) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWTHeader. Required by controller-gen.
func (*JWTHeader) DeepCopyInterface ¶
func (in *JWTHeader) DeepCopyInterface() interface{}
DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new JWTHeader. Required by controller-gen.
func (*JWTHeader) DeepCopyInto ¶
DeepCopyInto supports using JWTHeader within kubernetes types, where deepcopy-gen is used.
func (*JWTHeader) Descriptor
deprecated
func (*JWTHeader) MarshalJSON ¶
MarshalJSON is a custom marshaler for JWTHeader
func (*JWTHeader) ProtoMessage ¶
func (*JWTHeader) ProtoMessage()
func (*JWTHeader) ProtoReflect ¶
func (x *JWTHeader) ProtoReflect() protoreflect.Message
func (*JWTHeader) UnmarshalJSON ¶
UnmarshalJSON is a custom unmarshaler for JWTHeader
type JWTRule ¶
type JWTRule struct { // Identifies the issuer that issued the JWT. See // [issuer](https://tools.ietf.org/html/rfc7519#section-4.1.1) // A JWT with different `iss` claim will be rejected. // // Example: `https://foobar.auth0.com` // Example: `1234567-compute@developer.gserviceaccount.com` // +kubebuilder:validation:MinLength=1 Issuer string `protobuf:"bytes,1,opt,name=issuer,proto3" json:"issuer,omitempty"` // The list of JWT // [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) // that are allowed to access. A JWT containing any of these // audiences will be accepted. // // The service name will be accepted if audiences is empty. // // Example: // // “`yaml // audiences: // - bookstore_android.apps.example.com // bookstore_web.apps.example.com // // “` // +kubebuilder:list-value-validation:MinLength=1 Audiences []string `protobuf:"bytes,2,rep,name=audiences,proto3" json:"audiences,omitempty"` // URL of the provider's public key set to validate signature of the // JWT. See [OpenID Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata). // // Optional if the key set document can either (a) be retrieved from // [OpenID // Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html) of // the issuer or (b) inferred from the email domain of the issuer (e.g. a // Google service account). // // Example: `https://www.googleapis.com/oauth2/v1/certs` // // Note: Only one of `jwksUri` and `jwks` should be used. // +kubebuilder:altName=jwks_uri // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=2048 // +kubebuilder:validation:XValidation:message="url must have scheme http:// or https://",rule="url(self).getScheme() in ['http', 'https']" JwksUri string `protobuf:"bytes,3,opt,name=jwks_uri,json=jwksUri,proto3" json:"jwks_uri,omitempty"` // JSON Web Key Set of public keys to validate signature of the JWT. // See https://auth0.com/docs/jwks. // // Note: Only one of `jwksUri` and `jwks` should be used. Jwks string `protobuf:"bytes,10,opt,name=jwks,proto3" json:"jwks,omitempty"` // List of header locations from which JWT is expected. For example, below is the location spec // if JWT is expected to be found in `x-jwt-assertion` header, and have `Bearer` prefix: // // “`yaml // // fromHeaders: // - name: x-jwt-assertion // prefix: "Bearer " // // “` // // Note: Requests with multiple tokens (at different locations) are not supported, the output principal of // such requests is undefined. FromHeaders []*JWTHeader `protobuf:"bytes,6,rep,name=from_headers,json=fromHeaders,proto3" json:"from_headers,omitempty"` // List of query parameters from which JWT is expected. For example, if JWT is provided via query // parameter `my_token` (e.g `/path?my_token=<JWT>`), the config is: // // “`yaml // // fromParams: // - "my_token" // // “` // // Note: Requests with multiple tokens (at different locations) are not supported, the output principal of // such requests is undefined. // +kubebuilder:list-value-validation:MinLength=1 FromParams []string `protobuf:"bytes,7,rep,name=from_params,json=fromParams,proto3" json:"from_params,omitempty"` // This field specifies the header name to output a successfully verified JWT payload to the // backend. The forwarded data is `base64_encoded(jwt_payload_in_JSON)`. If it is not specified, // the payload will not be emitted. OutputPayloadToHeader string `` /* 128-byte string literal not displayed */ // List of cookie names from which JWT is expected. // // For example, if config is: // // “` yaml // // from_cookies: // - auth-token // // “` // Then JWT will be extracted from “auth-token“ cookie in the request. // // Note: Requests with multiple tokens (at different locations) are not supported, the output principal of // such requests is undefined. // +kubebuilder:list-value-validation:MinLength=1 FromCookies []string `protobuf:"bytes,12,rep,name=from_cookies,json=fromCookies,proto3" json:"from_cookies,omitempty"` // If set to true, the original token will be kept for the upstream request. Default is false. ForwardOriginalToken bool `protobuf:"varint,9,opt,name=forward_original_token,json=forwardOriginalToken,proto3" json:"forward_original_token,omitempty"` // This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. // This differs from the `output_payload_to_header` by allowing outputting individual claims instead of the whole payload. // The header specified in each operation in the list must be unique. Nested claims of type string/int/bool is supported as well. // “` // // outputClaimToHeaders: // - header: x-my-company-jwt-group // claim: my-group // - header: x-test-environment-flag // claim: test-flag // - header: x-jwt-claim-group // claim: nested.key.group // // “` // [Experimental] This feature is a experimental feature. OutputClaimToHeaders []*ClaimToHeader `` // [TODO:Update the status whenever this feature is promoted.] /* 126-byte string literal not displayed */ // The maximum amount of time that the resolver, determined by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, // will spend waiting for the JWKS to be fetched. Default is 5s. Timeout *duration.Duration `protobuf:"bytes,13,opt,name=timeout,proto3" json:"timeout,omitempty"` // contains filtered or unexported fields }
JSON Web Token (JWT) token format for authentication as defined by [RFC 7519](https://tools.ietf.org/html/rfc7519). See [OAuth 2.0](https://tools.ietf.org/html/rfc6749) and [OIDC 1.0](http://openid.net/connect) for how this is used in the whole authentication flow.
Examples:
Spec for a JWT that is issued by `https://example.com`, with the audience claims must be either `bookstore_android.apps.example.com` or `bookstore_web.apps.example.com`. The token should be presented at the `Authorization` header (default). The JSON Web Key Set (JWKS) will be discovered following OpenID Connect protocol.
```yaml issuer: https://example.com audiences:
- bookstore_android.apps.example.com bookstore_web.apps.example.com
```
This example specifies a token in a non-default location (`x-goog-iap-jwt-assertion` header). It also defines the URI to fetch JWKS explicitly.
```yaml issuer: https://example.com jwksUri: https://example.com/.secret/jwks.json fromHeaders: - "x-goog-iap-jwt-assertion" ``` +kubebuilder:validation:XValidation:message="only one of jwks or jwksUri can be set",rule="(has(self.jwksUri)?1:0)+(has(self.jwks_uri)?1:0)+(has(self.jwks)?1:0)<=1"
func (*JWTRule) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWTRule. Required by controller-gen.
func (*JWTRule) DeepCopyInterface ¶
func (in *JWTRule) DeepCopyInterface() interface{}
DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new JWTRule. Required by controller-gen.
func (*JWTRule) DeepCopyInto ¶
DeepCopyInto supports using JWTRule within kubernetes types, where deepcopy-gen is used.
func (*JWTRule) Descriptor
deprecated
func (*JWTRule) GetAudiences ¶
func (*JWTRule) GetForwardOriginalToken ¶
func (*JWTRule) GetFromCookies ¶ added in v1.21.0
func (*JWTRule) GetFromHeaders ¶
func (*JWTRule) GetFromParams ¶
func (*JWTRule) GetJwksUri ¶
func (*JWTRule) GetOutputClaimToHeaders ¶
func (x *JWTRule) GetOutputClaimToHeaders() []*ClaimToHeader
func (*JWTRule) GetOutputPayloadToHeader ¶
func (*JWTRule) GetTimeout ¶ added in v1.22.0
func (*JWTRule) MarshalJSON ¶
MarshalJSON is a custom marshaler for JWTRule
func (*JWTRule) ProtoMessage ¶
func (*JWTRule) ProtoMessage()
func (*JWTRule) ProtoReflect ¶
func (x *JWTRule) ProtoReflect() protoreflect.Message
func (*JWTRule) UnmarshalJSON ¶
UnmarshalJSON is a custom unmarshaler for JWTRule
type Operation ¶
type Operation struct { // Optional. A list of hosts as specified in the HTTP request. The match is case-insensitive. // See the [security best practices](https://istio.io/latest/docs/ops/best-practices/security/#writing-host-match-policies) for // recommended usage of this field. // // If not set, any host is allowed. Must be used only with HTTP. Hosts []string `protobuf:"bytes,1,rep,name=hosts,proto3" json:"hosts,omitempty"` // Optional. A list of negative match of hosts as specified in the HTTP request. The match is case-insensitive. NotHosts []string `protobuf:"bytes,5,rep,name=not_hosts,json=notHosts,proto3" json:"not_hosts,omitempty"` // Optional. A list of ports as specified in the connection. // // If not set, any port is allowed. Ports []string `protobuf:"bytes,2,rep,name=ports,proto3" json:"ports,omitempty"` // Optional. A list of negative match of ports as specified in the connection. NotPorts []string `protobuf:"bytes,6,rep,name=not_ports,json=notPorts,proto3" json:"not_ports,omitempty"` // Optional. A list of methods as specified in the HTTP request. // For gRPC service, this will always be `POST`. // // If not set, any method is allowed. Must be used only with HTTP. Methods []string `protobuf:"bytes,3,rep,name=methods,proto3" json:"methods,omitempty"` // Optional. A list of negative match of methods as specified in the HTTP request. NotMethods []string `protobuf:"bytes,7,rep,name=not_methods,json=notMethods,proto3" json:"not_methods,omitempty"` // Optional. A list of paths as specified in the HTTP request. See the [Authorization Policy Normalization](https://istio.io/latest/docs/reference/config/security/normalization/) // for details of the path normalization. // For gRPC service, this will be the fully-qualified name in the form of `/package.service/method`. // // If a path in the list contains the `{*}` or `{**}` path template operator, it will be interpreted as an [Envoy Uri Template](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/path/match/uri_template/v3/uri_template_match.proto). // To be a valid path template, the path must not contain `*`, `{`, or `}` outside of a supported operator. No other characters are allowed in the path segment with the path template operator. // - `{*}` matches a single glob that cannot extend beyond a path segment. // - `{**}` matches zero or more globs. If a path contains `{**}`, it must be the last operator. // // Examples: // - `/foo/{*}` matches `/foo/bar` but not `/foo/bar/baz` // - `/foo/{**}/` matches `/foo/bar/`, `/foo/bar/baz.txt`, and `/foo//` but not `/foo/bar` // - `/foo/{*}/bar/{**}` matches `/foo/buzz/bar/` and `/foo/buzz/bar/baz` // - `/*/baz/{*}` is not a valid path template since it includes `*` outside of a supported operator // - `/**/baz/{*}` is not a valid path template since it includes `**` outside of a supported operator // - `/{**}/foo/{*}` is not a valid path template since `{**}` is not the last operator // - `/foo/{*}.txt` is invalid since there are characters other than `{*}` in the path segment // // If not set, any path is allowed. Must be used only with HTTP. Paths []string `protobuf:"bytes,4,rep,name=paths,proto3" json:"paths,omitempty"` // Optional. A list of negative match of paths. NotPaths []string `protobuf:"bytes,8,rep,name=not_paths,json=notPaths,proto3" json:"not_paths,omitempty"` // contains filtered or unexported fields }
Operation specifies the operations of a request. Fields in the operation are ANDed together.
For example, the following operation matches if the host has suffix `.example.com` and the method is `GET` or `HEAD` and the path doesn't have prefix `/admin`.
```yaml hosts: ["*.example.com"] methods: ["GET", "HEAD"] notPaths: ["/admin*"] ```
func (*Operation) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Operation. Required by controller-gen.
func (*Operation) DeepCopyInterface ¶
func (in *Operation) DeepCopyInterface() interface{}
DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new Operation. Required by controller-gen.
func (*Operation) DeepCopyInto ¶
DeepCopyInto supports using Operation within kubernetes types, where deepcopy-gen is used.
func (*Operation) Descriptor
deprecated
func (*Operation) GetMethods ¶
func (*Operation) GetNotHosts ¶
func (*Operation) GetNotMethods ¶
func (*Operation) GetNotPaths ¶
func (*Operation) GetNotPorts ¶
func (*Operation) MarshalJSON ¶
MarshalJSON is a custom marshaler for Operation
func (*Operation) ProtoMessage ¶
func (*Operation) ProtoMessage()
func (*Operation) ProtoReflect ¶
func (x *Operation) ProtoReflect() protoreflect.Message
func (*Operation) UnmarshalJSON ¶
UnmarshalJSON is a custom unmarshaler for Operation
type PeerAuthentication ¶
type PeerAuthentication struct { // The selector determines the workloads to apply the PeerAuthentication on. The selector will match with workloads in the // same namespace as the policy. If the policy is in the root namespace, the selector will additionally match with workloads in all namespace. // // If not set, the policy will be applied to all workloads in the same namespace as the policy. If it is in the root namespace, it would be applied // to all workloads in the mesh. Selector *v1beta1.WorkloadSelector `protobuf:"bytes,1,opt,name=selector,proto3" json:"selector,omitempty"` // Mutual TLS settings for workload. If not defined, inherit from parent. Mtls *PeerAuthentication_MutualTLS `protobuf:"bytes,2,opt,name=mtls,proto3" json:"mtls,omitempty"` // Port specific mutual TLS settings. These only apply when a workload selector // is specified. The port refers to the port of the workload, not the port of the // Kubernetes service. // +kubebuilder:validation:XValidation:message="port must be between 1-65535",rule="self.all(key, 0 < int(key) && int(key) <= 65535)" // +kubebuilder:validation:MinProperties=1 PortLevelMtls map[uint32]*PeerAuthentication_MutualTLS `` /* 191-byte string literal not displayed */ // contains filtered or unexported fields }
PeerAuthentication defines mutual TLS (mTLS) requirements for incoming connections.
In sidecar mode, PeerAuthentication determines whether or not mTLS is allowed or required for connections to an Envoy proxy sidecar.
In ambient mode, security is transparently enabled for a pod by the ztunnel node agent. (Traffic between proxies uses the HBONE protocol, which includes encryption with mTLS.) Because of this, `DISABLE` mode is not supported. `STRICT` mode is useful to ensure that connections that bypass the mesh are not possible.
Examples:
Policy to require mTLS traffic for all workloads under namespace `foo`: ```yaml apiVersion: security.istio.io/v1 kind: PeerAuthentication metadata:
name: default namespace: foo
spec:
mtls: mode: STRICT
``` For mesh level, put the policy in root-namespace according to your Istio installation.
Policies to allow both mTLS and plaintext traffic for all workloads under namespace `foo`, but require mTLS for workload `finance`. ```yaml apiVersion: security.istio.io/v1 kind: PeerAuthentication metadata:
name: default namespace: foo
spec:
mtls: mode: PERMISSIVE
--- apiVersion: security.istio.io/v1 kind: PeerAuthentication metadata:
name: finance namespace: foo
spec:
selector: matchLabels: app: finance mtls: mode: STRICT
``` Policy that enables strict mTLS for all `finance` workloads, but leaves the port `8080` to plaintext. Note the port value in the `portLevelMtls` field refers to the port of the workload, not the port of the Kubernetes service. ```yaml apiVersion: security.istio.io/v1 kind: PeerAuthentication metadata:
name: default namespace: foo
spec:
selector: matchLabels: app: finance mtls: mode: STRICT portLevelMtls: 8080: mode: DISABLE
``` Policy that inherits mTLS mode from namespace (or mesh) settings, and disables mTLS for workload port `8080`. ```yaml apiVersion: security.istio.io/v1 kind: PeerAuthentication metadata:
name: default namespace: foo
spec:
selector: matchLabels: app: finance mtls: mode: UNSET portLevelMtls: 8080: mode: DISABLE
```
<!-- crd generation tags +cue-gen:PeerAuthentication:groupName:security.istio.io +cue-gen:PeerAuthentication:versions:v1beta1,v1 +cue-gen:PeerAuthentication:storageVersion +cue-gen:PeerAuthentication:annotations:helm.sh/resource-policy=keep +cue-gen:PeerAuthentication:labels:app=istio-pilot,chart=istio,istio=security,heritage=Tiller,release=istio +cue-gen:PeerAuthentication:subresource:status +cue-gen:PeerAuthentication:scope:Namespaced +cue-gen:PeerAuthentication:resource:categories=istio-io,security-istio-io,shortNames=pa +cue-gen:PeerAuthentication:preserveUnknownFields:false +cue-gen:PeerAuthentication:printerColumn:name=Mode,type=string,JSONPath=.spec.mtls.mode,description="Defines the mTLS mode used for peer authentication." +cue-gen:PeerAuthentication:printerColumn:name=Age,type=date,JSONPath=.metadata.creationTimestamp,description="CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata" -->
<!-- go code generation tags +kubetype-gen +kubetype-gen:groupVersion=security.istio.io/v1beta1 +genclient +k8s:deepcopy-gen=true --> +kubebuilder:validation:XValidation:message="portLevelMtls requires selector",rule="(has(self.selector) && has(self.selector.matchLabels) && self.selector.matchLabels.size() > 0) || !has(self.portLevelMtls)"
func (*PeerAuthentication) DeepCopy ¶
func (in *PeerAuthentication) DeepCopy() *PeerAuthentication
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PeerAuthentication. Required by controller-gen.
func (*PeerAuthentication) DeepCopyInterface ¶
func (in *PeerAuthentication) DeepCopyInterface() interface{}
DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new PeerAuthentication. Required by controller-gen.
func (*PeerAuthentication) DeepCopyInto ¶
func (in *PeerAuthentication) DeepCopyInto(out *PeerAuthentication)
DeepCopyInto supports using PeerAuthentication within kubernetes types, where deepcopy-gen is used.
func (*PeerAuthentication) Descriptor
deprecated
func (*PeerAuthentication) Descriptor() ([]byte, []int)
Deprecated: Use PeerAuthentication.ProtoReflect.Descriptor instead.
func (*PeerAuthentication) GetMtls ¶
func (x *PeerAuthentication) GetMtls() *PeerAuthentication_MutualTLS
func (*PeerAuthentication) GetPortLevelMtls ¶
func (x *PeerAuthentication) GetPortLevelMtls() map[uint32]*PeerAuthentication_MutualTLS
func (*PeerAuthentication) GetSelector ¶
func (x *PeerAuthentication) GetSelector() *v1beta1.WorkloadSelector
func (*PeerAuthentication) MarshalJSON ¶
func (this *PeerAuthentication) MarshalJSON() ([]byte, error)
MarshalJSON is a custom marshaler for PeerAuthentication
func (*PeerAuthentication) ProtoMessage ¶
func (*PeerAuthentication) ProtoMessage()
func (*PeerAuthentication) ProtoReflect ¶
func (x *PeerAuthentication) ProtoReflect() protoreflect.Message
func (*PeerAuthentication) Reset ¶
func (x *PeerAuthentication) Reset()
func (*PeerAuthentication) String ¶
func (x *PeerAuthentication) String() string
func (*PeerAuthentication) UnmarshalJSON ¶
func (this *PeerAuthentication) UnmarshalJSON(b []byte) error
UnmarshalJSON is a custom unmarshaler for PeerAuthentication
type PeerAuthentication_MutualTLS ¶
type PeerAuthentication_MutualTLS struct { // Defines the mTLS mode used for peer authentication. Mode PeerAuthentication_MutualTLS_Mode `protobuf:"varint,1,opt,name=mode,proto3,enum=istio.security.v1beta1.PeerAuthentication_MutualTLS_Mode" json:"mode,omitempty"` // contains filtered or unexported fields }
Mutual TLS settings.
func (*PeerAuthentication_MutualTLS) DeepCopy ¶
func (in *PeerAuthentication_MutualTLS) DeepCopy() *PeerAuthentication_MutualTLS
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PeerAuthentication_MutualTLS. Required by controller-gen.
func (*PeerAuthentication_MutualTLS) DeepCopyInterface ¶
func (in *PeerAuthentication_MutualTLS) DeepCopyInterface() interface{}
DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new PeerAuthentication_MutualTLS. Required by controller-gen.
func (*PeerAuthentication_MutualTLS) DeepCopyInto ¶
func (in *PeerAuthentication_MutualTLS) DeepCopyInto(out *PeerAuthentication_MutualTLS)
DeepCopyInto supports using PeerAuthentication_MutualTLS within kubernetes types, where deepcopy-gen is used.
func (*PeerAuthentication_MutualTLS) Descriptor
deprecated
func (*PeerAuthentication_MutualTLS) Descriptor() ([]byte, []int)
Deprecated: Use PeerAuthentication_MutualTLS.ProtoReflect.Descriptor instead.
func (*PeerAuthentication_MutualTLS) GetMode ¶
func (x *PeerAuthentication_MutualTLS) GetMode() PeerAuthentication_MutualTLS_Mode
func (*PeerAuthentication_MutualTLS) MarshalJSON ¶
func (this *PeerAuthentication_MutualTLS) MarshalJSON() ([]byte, error)
MarshalJSON is a custom marshaler for PeerAuthentication_MutualTLS
func (*PeerAuthentication_MutualTLS) ProtoMessage ¶
func (*PeerAuthentication_MutualTLS) ProtoMessage()
func (*PeerAuthentication_MutualTLS) ProtoReflect ¶
func (x *PeerAuthentication_MutualTLS) ProtoReflect() protoreflect.Message
func (*PeerAuthentication_MutualTLS) Reset ¶
func (x *PeerAuthentication_MutualTLS) Reset()
func (*PeerAuthentication_MutualTLS) String ¶
func (x *PeerAuthentication_MutualTLS) String() string
func (*PeerAuthentication_MutualTLS) UnmarshalJSON ¶
func (this *PeerAuthentication_MutualTLS) UnmarshalJSON(b []byte) error
UnmarshalJSON is a custom unmarshaler for PeerAuthentication_MutualTLS
type PeerAuthentication_MutualTLS_Mode ¶
type PeerAuthentication_MutualTLS_Mode int32
const ( // Inherit from parent, if has one. Otherwise treated as `PERMISSIVE`. PeerAuthentication_MutualTLS_UNSET PeerAuthentication_MutualTLS_Mode = 0 // Connection is not tunneled. PeerAuthentication_MutualTLS_DISABLE PeerAuthentication_MutualTLS_Mode = 1 // Connection can be either plaintext or mTLS tunnel. PeerAuthentication_MutualTLS_PERMISSIVE PeerAuthentication_MutualTLS_Mode = 2 // Connection is an mTLS tunnel (TLS with client cert must be presented). PeerAuthentication_MutualTLS_STRICT PeerAuthentication_MutualTLS_Mode = 3 )
func (PeerAuthentication_MutualTLS_Mode) Descriptor ¶
func (PeerAuthentication_MutualTLS_Mode) Descriptor() protoreflect.EnumDescriptor
func (PeerAuthentication_MutualTLS_Mode) Enum ¶
func (x PeerAuthentication_MutualTLS_Mode) Enum() *PeerAuthentication_MutualTLS_Mode
func (PeerAuthentication_MutualTLS_Mode) EnumDescriptor
deprecated
func (PeerAuthentication_MutualTLS_Mode) EnumDescriptor() ([]byte, []int)
Deprecated: Use PeerAuthentication_MutualTLS_Mode.Descriptor instead.
func (PeerAuthentication_MutualTLS_Mode) Number ¶
func (x PeerAuthentication_MutualTLS_Mode) Number() protoreflect.EnumNumber
func (PeerAuthentication_MutualTLS_Mode) String ¶
func (x PeerAuthentication_MutualTLS_Mode) String() string
func (PeerAuthentication_MutualTLS_Mode) Type ¶
func (PeerAuthentication_MutualTLS_Mode) Type() protoreflect.EnumType
type RequestAuthentication ¶
type RequestAuthentication struct { // Optional. The selector decides where to apply the request authentication policy. The selector will match with workloads // in the same namespace as the request authentication policy. If the request authentication policy is in the root namespace, // the selector will additionally match with workloads in all namespaces. // // If not set, the selector will match all workloads. // // At most one of `selector` or `targetRefs` can be set for a given policy. Selector *v1beta1.WorkloadSelector `protobuf:"bytes,1,opt,name=selector,proto3" json:"selector,omitempty"` // $hide_from_docs TargetRef *v1beta1.PolicyTargetReference `protobuf:"bytes,3,opt,name=targetRef,proto3" json:"targetRef,omitempty"` // Optional. The targetRefs specifies a list of resources the policy should be // applied to. The targeted resources specified will determine which workloads // the policy applies to. // // Currently, the following resource attachment types are supported: // * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace. // * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints. // // If not set, the policy is applied as defined by the selector. // At most one of the selector and targetRefs can be set. // // NOTE: If you are using the `targetRefs` field in a multi-revision environment with Istio versions prior to 1.22, // it is highly recommended that you pin the policy to a revision running 1.22+ via the `istio.io/rev` label. // This is to prevent proxies connected to older control planes (that don't know about the `targetRefs` field) // from misinterpreting the policy as namespace-wide during the upgrade process. // // NOTE: Waypoint proxies are required to use this field for policies to apply; `selector` policies will be ignored. TargetRefs []*v1beta1.PolicyTargetReference `protobuf:"bytes,4,rep,name=targetRefs,proto3" json:"targetRefs,omitempty"` // Define the list of JWTs that can be validated at the selected workloads' proxy. A valid token // will be used to extract the authenticated identity. // Each rule will be activated only when a token is presented at the location recognized by the // rule. The token will be validated based on the JWT rule config. If validation fails, the request will // be rejected. // Note: Requests with multiple tokens (at different locations) are not supported, the output principal of // such requests is undefined. // +kubebuilder:validation:MaxItems=4096 JwtRules []*JWTRule `protobuf:"bytes,2,rep,name=jwt_rules,json=jwtRules,proto3" json:"jwt_rules,omitempty"` // contains filtered or unexported fields }
RequestAuthentication defines what request authentication methods are supported by a workload. It will reject a request if the request contains invalid authentication information, based on the configured authentication rules. A request that does not contain any authentication credentials will be accepted but will not have any authenticated identity. To restrict access to authenticated requests only, this should be accompanied by an authorization rule. Examples:
- Require JWT for all request for workloads that have label `app:httpbin`
```yaml apiVersion: security.istio.io/v1 kind: RequestAuthentication metadata:
name: httpbin namespace: foo
spec:
selector: matchLabels: app: httpbin jwtRules: - issuer: "issuer-foo" jwksUri: https://example.com/.well-known/jwks.json
--- apiVersion: security.istio.io/v1 kind: AuthorizationPolicy metadata:
name: httpbin namespace: foo
spec:
selector: matchLabels: app: httpbin rules: - from: - source: requestPrincipals: ["*"]
```
- A policy in the root namespace ("istio-system" by default) applies to workloads in all namespaces in a mesh. The following policy makes all workloads only accept requests that contain a valid JWT token.
```yaml apiVersion: security.istio.io/v1 kind: RequestAuthentication metadata:
name: req-authn-for-all namespace: istio-system
spec:
jwtRules: - issuer: "issuer-foo" jwksUri: https://example.com/.well-known/jwks.json
--- apiVersion: security.istio.io/v1 kind: AuthorizationPolicy metadata:
name: require-jwt-for-all namespace: istio-system
spec:
rules: - from: - source: requestPrincipals: ["*"]
```
- The next example shows how to set a different JWT requirement for a different `host`. The `RequestAuthentication` declares it can accept JWTs issued by either `issuer-foo` or `issuer-bar` (the public key set is implicitly set from the OpenID Connect spec).
```yaml apiVersion: security.istio.io/v1 kind: RequestAuthentication metadata:
name: httpbin namespace: foo
spec:
selector: matchLabels: app: httpbin jwtRules: - issuer: "issuer-foo" - issuer: "issuer-bar"
--- apiVersion: security.istio.io/v1 kind: AuthorizationPolicy metadata:
name: httpbin namespace: foo
spec:
selector: matchLabels: app: httpbin rules: - from: - source: requestPrincipals: ["issuer-foo/*"] to: - operation: hosts: ["example.com"] - from: - source: requestPrincipals: ["issuer-bar/*"] to: - operation: hosts: ["another-host.com"]
```
- You can fine tune the authorization policy to set different requirement per path. For example, to require JWT on all paths, except /healthz, the same `RequestAuthentication` can be used, but the authorization policy could be:
```yaml apiVersion: security.istio.io/v1 kind: AuthorizationPolicy metadata:
name: httpbin namespace: foo
spec:
selector: matchLabels: app: httpbin rules: - from: - source: requestPrincipals: ["*"] - to: - operation: paths: ["/healthz"]
```
[Experimental] Routing based on derived [metadata](https://istio.io/latest/docs/reference/config/security/conditions/) is now supported. A prefix '@' is used to denote a match against internal metadata instead of the headers in the request. Currently this feature is only supported for the following metadata:
- `request.auth.claims.{claim-name}[.{nested-claim}]*` which are extracted from validated JWT tokens. Use the `.` or `[]` as a separator for nested claim names. Examples: `request.auth.claims.sub`, `request.auth.claims.name.givenName` and `request.auth.claims[foo.com/name]`. For more information, see [JWT claim based routing](https://istio.io/latest/docs/tasks/security/authentication/jwt-route/).
The use of matches against JWT claim metadata is only supported in Gateways. The following example shows:
- RequestAuthentication to decode and validate a JWT. This also makes the `@request.auth.claims` available for use in the VirtualService. - AuthorizationPolicy to check for valid principals in the request. This makes the JWT required for the request. - VirtualService to route the request based on the "sub" claim.
```yaml apiVersion: security.istio.io/v1 kind: RequestAuthentication metadata:
name: jwt-on-ingress namespace: istio-system
spec:
selector: matchLabels: app: istio-ingressgateway jwtRules: - issuer: "example.com" jwksUri: https://example.com/.well-known/jwks.json
--- apiVersion: security.istio.io/v1 kind: AuthorizationPolicy metadata:
name: require-jwt namespace: istio-system
spec:
selector: matchLabels: app: istio-ingressgateway rules: - from: - source: requestPrincipals: ["*"]
--- apiVersion: networking.istio.io/v1 kind: VirtualService metadata:
name: route-jwt
spec:
hosts: - foo.prod.svc.cluster.local gateways: - istio-ingressgateway http: - name: "v2" match: - headers: "@request.auth.claims.sub": exact: "dev" route: - destination: host: foo.prod.svc.cluster.local subset: v2 - name: "default" route: - destination: host: foo.prod.svc.cluster.local subset: v1
```
<!-- crd generation tags +cue-gen:RequestAuthentication:groupName:security.istio.io +cue-gen:RequestAuthentication:versions:v1beta1,v1 +cue-gen:RequestAuthentication:storageVersion +cue-gen:RequestAuthentication:annotations:helm.sh/resource-policy=keep +cue-gen:RequestAuthentication:labels:app=istio-pilot,chart=istio,istio=security,heritage=Tiller,release=istio +cue-gen:RequestAuthentication:subresource:status +cue-gen:RequestAuthentication:scope:Namespaced +cue-gen:RequestAuthentication:resource:categories=istio-io,security-istio-io,shortNames=ra +cue-gen:RequestAuthentication:preserveUnknownFields:false -->
<!-- go code generation tags +kubetype-gen +kubetype-gen:groupVersion=security.istio.io/v1beta1 +genclient +k8s:deepcopy-gen=true --> +kubebuilder:validation:XValidation:message="only one of targetRefs or workloadSelector can be set",rule="(has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1"
func (*RequestAuthentication) DeepCopy ¶
func (in *RequestAuthentication) DeepCopy() *RequestAuthentication
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RequestAuthentication. Required by controller-gen.
func (*RequestAuthentication) DeepCopyInterface ¶
func (in *RequestAuthentication) DeepCopyInterface() interface{}
DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new RequestAuthentication. Required by controller-gen.
func (*RequestAuthentication) DeepCopyInto ¶
func (in *RequestAuthentication) DeepCopyInto(out *RequestAuthentication)
DeepCopyInto supports using RequestAuthentication within kubernetes types, where deepcopy-gen is used.
func (*RequestAuthentication) Descriptor
deprecated
func (*RequestAuthentication) Descriptor() ([]byte, []int)
Deprecated: Use RequestAuthentication.ProtoReflect.Descriptor instead.
func (*RequestAuthentication) GetJwtRules ¶
func (x *RequestAuthentication) GetJwtRules() []*JWTRule
func (*RequestAuthentication) GetSelector ¶
func (x *RequestAuthentication) GetSelector() *v1beta1.WorkloadSelector
func (*RequestAuthentication) GetTargetRef ¶ added in v1.20.0
func (x *RequestAuthentication) GetTargetRef() *v1beta1.PolicyTargetReference
func (*RequestAuthentication) GetTargetRefs ¶ added in v1.22.0
func (x *RequestAuthentication) GetTargetRefs() []*v1beta1.PolicyTargetReference
func (*RequestAuthentication) MarshalJSON ¶
func (this *RequestAuthentication) MarshalJSON() ([]byte, error)
MarshalJSON is a custom marshaler for RequestAuthentication
func (*RequestAuthentication) ProtoMessage ¶
func (*RequestAuthentication) ProtoMessage()
func (*RequestAuthentication) ProtoReflect ¶
func (x *RequestAuthentication) ProtoReflect() protoreflect.Message
func (*RequestAuthentication) Reset ¶
func (x *RequestAuthentication) Reset()
func (*RequestAuthentication) String ¶
func (x *RequestAuthentication) String() string
func (*RequestAuthentication) UnmarshalJSON ¶
func (this *RequestAuthentication) UnmarshalJSON(b []byte) error
UnmarshalJSON is a custom unmarshaler for RequestAuthentication
type Rule ¶
type Rule struct { // Optional. `from` specifies the source of a request. // // If not set, any source is allowed. From []*Rule_From `protobuf:"bytes,1,rep,name=from,proto3" json:"from,omitempty"` // Optional. `to` specifies the operation of a request. // // If not set, any operation is allowed. To []*Rule_To `protobuf:"bytes,2,rep,name=to,proto3" json:"to,omitempty"` // Optional. `when` specifies a list of additional conditions of a request. // // If not set, any condition is allowed. When []*Condition `protobuf:"bytes,3,rep,name=when,proto3" json:"when,omitempty"` // contains filtered or unexported fields }
Rule matches requests from a list of sources that perform a list of operations subject to a list of conditions. A match occurs when at least one source, one operation and all conditions matches the request. An empty rule is always matched.
Any string field in the rule supports Exact, Prefix, Suffix and Presence match:
- Exact match: `abc` will match on value `abc`. - Prefix match: `abc*` will match on value `abc` and `abcd`. - Suffix match: `*abc` will match on value `abc` and `xabc`. - Presence match: `*` will match when value is not empty.
func (*Rule) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Rule. Required by controller-gen.
func (*Rule) DeepCopyInterface ¶
func (in *Rule) DeepCopyInterface() interface{}
DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new Rule. Required by controller-gen.
func (*Rule) DeepCopyInto ¶
DeepCopyInto supports using Rule within kubernetes types, where deepcopy-gen is used.
func (*Rule) Descriptor
deprecated
func (*Rule) MarshalJSON ¶
MarshalJSON is a custom marshaler for Rule
func (*Rule) ProtoMessage ¶
func (*Rule) ProtoMessage()
func (*Rule) ProtoReflect ¶
func (x *Rule) ProtoReflect() protoreflect.Message
func (*Rule) UnmarshalJSON ¶
UnmarshalJSON is a custom unmarshaler for Rule
type Rule_From ¶
type Rule_From struct { // Source specifies the source of a request. Source *Source `protobuf:"bytes,1,opt,name=source,proto3" json:"source,omitempty"` // contains filtered or unexported fields }
From includes a list of sources.
func (*Rule_From) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Rule_From. Required by controller-gen.
func (*Rule_From) DeepCopyInterface ¶
func (in *Rule_From) DeepCopyInterface() interface{}
DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new Rule_From. Required by controller-gen.
func (*Rule_From) DeepCopyInto ¶
DeepCopyInto supports using Rule_From within kubernetes types, where deepcopy-gen is used.
func (*Rule_From) Descriptor
deprecated
func (*Rule_From) MarshalJSON ¶
MarshalJSON is a custom marshaler for Rule_From
func (*Rule_From) ProtoMessage ¶
func (*Rule_From) ProtoMessage()
func (*Rule_From) ProtoReflect ¶
func (x *Rule_From) ProtoReflect() protoreflect.Message
func (*Rule_From) UnmarshalJSON ¶
UnmarshalJSON is a custom unmarshaler for Rule_From
type Rule_To ¶
type Rule_To struct { // Operation specifies the operation of a request. Operation *Operation `protobuf:"bytes,1,opt,name=operation,proto3" json:"operation,omitempty"` // contains filtered or unexported fields }
To includes a list of operations.
func (*Rule_To) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Rule_To. Required by controller-gen.
func (*Rule_To) DeepCopyInterface ¶
func (in *Rule_To) DeepCopyInterface() interface{}
DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new Rule_To. Required by controller-gen.
func (*Rule_To) DeepCopyInto ¶
DeepCopyInto supports using Rule_To within kubernetes types, where deepcopy-gen is used.
func (*Rule_To) Descriptor
deprecated
func (*Rule_To) GetOperation ¶
func (*Rule_To) MarshalJSON ¶
MarshalJSON is a custom marshaler for Rule_To
func (*Rule_To) ProtoMessage ¶
func (*Rule_To) ProtoMessage()
func (*Rule_To) ProtoReflect ¶
func (x *Rule_To) ProtoReflect() protoreflect.Message
func (*Rule_To) UnmarshalJSON ¶
UnmarshalJSON is a custom unmarshaler for Rule_To
type Source ¶
type Source struct { // Optional. A list of peer identities derived from the peer certificate. The peer identity is in the format of // `"<TRUST_DOMAIN>/ns/<NAMESPACE>/sa/<SERVICE_ACCOUNT>"`, for example, `"cluster.local/ns/default/sa/productpage"`. // This field requires mTLS enabled and is the same as the `source.principal` attribute. // // If not set, any principal is allowed. Principals []string `protobuf:"bytes,1,rep,name=principals,proto3" json:"principals,omitempty"` // Optional. A list of negative match of peer identities. NotPrincipals []string `protobuf:"bytes,5,rep,name=not_principals,json=notPrincipals,proto3" json:"not_principals,omitempty"` // Optional. A list of request identities derived from the JWT. The request identity is in the format of // `"<ISS>/<SUB>"`, for example, `"example.com/sub-1"`. This field requires request authentication enabled and is the // same as the `request.auth.principal` attribute. // // If not set, any request principal is allowed. RequestPrincipals []string `protobuf:"bytes,2,rep,name=request_principals,json=requestPrincipals,proto3" json:"request_principals,omitempty"` // Optional. A list of negative match of request identities. NotRequestPrincipals []string `protobuf:"bytes,6,rep,name=not_request_principals,json=notRequestPrincipals,proto3" json:"not_request_principals,omitempty"` // Optional. A list of namespaces derived from the peer certificate. // This field requires mTLS enabled and is the same as the `source.namespace` attribute. // // If not set, any namespace is allowed. Namespaces []string `protobuf:"bytes,3,rep,name=namespaces,proto3" json:"namespaces,omitempty"` // Optional. A list of negative match of namespaces. NotNamespaces []string `protobuf:"bytes,7,rep,name=not_namespaces,json=notNamespaces,proto3" json:"not_namespaces,omitempty"` // Optional. A list of IP blocks, populated from the source address of the IP packet. Single IP (e.g. `203.0.113.4`) and // CIDR (e.g. `203.0.113.0/24`) are supported. This is the same as the `source.ip` attribute. // // If not set, any IP is allowed. IpBlocks []string `protobuf:"bytes,4,rep,name=ip_blocks,json=ipBlocks,proto3" json:"ip_blocks,omitempty"` // Optional. A list of negative match of IP blocks. NotIpBlocks []string `protobuf:"bytes,8,rep,name=not_ip_blocks,json=notIpBlocks,proto3" json:"not_ip_blocks,omitempty"` // Optional. A list of IP blocks, populated from `X-Forwarded-For` header or proxy protocol. // To make use of this field, you must configure the `numTrustedProxies` field of the `gatewayTopology` under the `meshConfig` // when you install Istio or using an annotation on the ingress gateway. See the documentation here: // [Configuring Gateway Network Topology](https://istio.io/latest/docs/ops/configuration/traffic-management/network-topologies/). // Single IP (e.g. `203.0.113.4`) and CIDR (e.g. `203.0.113.0/24`) are supported. // This is the same as the `remote.ip` attribute. // // If not set, any IP is allowed. RemoteIpBlocks []string `protobuf:"bytes,9,rep,name=remote_ip_blocks,json=remoteIpBlocks,proto3" json:"remote_ip_blocks,omitempty"` // Optional. A list of negative match of remote IP blocks. NotRemoteIpBlocks []string `protobuf:"bytes,10,rep,name=not_remote_ip_blocks,json=notRemoteIpBlocks,proto3" json:"not_remote_ip_blocks,omitempty"` // contains filtered or unexported fields }
Source specifies the source identities of a request. Fields in the source are ANDed together.
For example, the following source matches if the principal is `admin` or `dev` and the namespace is `prod` or `test` and the ip is not `203.0.113.4`.
```yaml principals: ["admin", "dev"] namespaces: ["prod", "test"] notIpBlocks: ["203.0.113.4"] ```
func (*Source) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Source. Required by controller-gen.
func (*Source) DeepCopyInterface ¶
func (in *Source) DeepCopyInterface() interface{}
DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new Source. Required by controller-gen.
func (*Source) DeepCopyInto ¶
DeepCopyInto supports using Source within kubernetes types, where deepcopy-gen is used.
func (*Source) Descriptor
deprecated
func (*Source) GetIpBlocks ¶
func (*Source) GetNamespaces ¶
func (*Source) GetNotIpBlocks ¶
func (*Source) GetNotNamespaces ¶
func (*Source) GetNotPrincipals ¶
func (*Source) GetNotRemoteIpBlocks ¶
func (*Source) GetNotRequestPrincipals ¶
func (*Source) GetPrincipals ¶
func (*Source) GetRemoteIpBlocks ¶
func (*Source) GetRequestPrincipals ¶
func (*Source) MarshalJSON ¶
MarshalJSON is a custom marshaler for Source
func (*Source) ProtoMessage ¶
func (*Source) ProtoMessage()
func (*Source) ProtoReflect ¶
func (x *Source) ProtoReflect() protoreflect.Message
func (*Source) UnmarshalJSON ¶
UnmarshalJSON is a custom unmarshaler for Source