Documentation ¶
Overview ¶
Package has auto-generated kube type wrappers for raw types. +k8s:openapi-gen=true +k8s:deepcopy-gen=package +groupName=security.istio.io
Index ¶
Constants ¶
const (
// Package-wide consts from generator "register".
GroupName = "security.istio.io"
)
Variables ¶
var ( // Package-wide variables from generator "register". SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1beta1"} SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) AddToScheme = localSchemeBuilder.AddToScheme )
Functions ¶
func Resource ¶
func Resource(resource string) schema.GroupResource
Types ¶
type AuthorizationPolicy ¶
type AuthorizationPolicy struct { v1.TypeMeta `json:",inline"` // +optional v1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` // Spec defines the implementation of this definition. // +optional Spec securityv1beta1.AuthorizationPolicy `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` Status v1alpha1.IstioStatus `json:"status"` }
AuthorizationPolicy enables access control on workloads.
<!-- crd generation tags +cue-gen:AuthorizationPolicy:groupName:security.istio.io +cue-gen:AuthorizationPolicy:version:v1beta1 +cue-gen:AuthorizationPolicy:storageVersion +cue-gen:AuthorizationPolicy:annotations:helm.sh/resource-policy=keep +cue-gen:AuthorizationPolicy:labels:app=istio-pilot,chart=istio,istio=security,heritage=Tiller,release=istio +cue-gen:AuthorizationPolicy:subresource:status +cue-gen:AuthorizationPolicy:scope:Namespaced +cue-gen:AuthorizationPolicy:resource:categories=istio-io,security-istio-io,plural=authorizationpolicies +cue-gen:AuthorizationPolicy:preserveUnknownFields:false -->
<!-- go code generation tags +kubetype-gen +kubetype-gen:groupVersion=security.istio.io/v1beta1 +genclient +k8s:deepcopy-gen=true --> <!-- istio code generation tags +istio.io/sync-start -->
func (*AuthorizationPolicy) DeepCopy ¶
func (in *AuthorizationPolicy) DeepCopy() *AuthorizationPolicy
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthorizationPolicy.
func (*AuthorizationPolicy) DeepCopyInto ¶
func (in *AuthorizationPolicy) DeepCopyInto(out *AuthorizationPolicy)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*AuthorizationPolicy) DeepCopyObject ¶
func (in *AuthorizationPolicy) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type AuthorizationPolicyList ¶
type AuthorizationPolicyList struct { v1.TypeMeta `json:",inline"` // +optional v1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` Items []*AuthorizationPolicy `json:"items" protobuf:"bytes,2,rep,name=items"` }
AuthorizationPolicyList is a collection of AuthorizationPolicies.
func (*AuthorizationPolicyList) DeepCopy ¶
func (in *AuthorizationPolicyList) DeepCopy() *AuthorizationPolicyList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthorizationPolicyList.
func (*AuthorizationPolicyList) DeepCopyInto ¶
func (in *AuthorizationPolicyList) DeepCopyInto(out *AuthorizationPolicyList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*AuthorizationPolicyList) DeepCopyObject ¶
func (in *AuthorizationPolicyList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type PeerAuthentication ¶
type PeerAuthentication struct { v1.TypeMeta `json:",inline"` // +optional v1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` // Spec defines the implementation of this definition. // +optional Spec securityv1beta1.PeerAuthentication `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` Status v1alpha1.IstioStatus `json:"status"` }
PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar.
Examples:
Policy to allow mTLS traffic for all workloads under namespace `foo`: ```yaml apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata:
name: default namespace: foo
spec:
mtls: mode: STRICT
``` For mesh level, put the policy in root-namespace according to your Istio installation.
Policies to allow both mTLS & plaintext traffic for all workloads under namespace `foo`, but require mTLS for workload `finance`. ```yaml apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata:
name: default namespace: foo
spec:
mtls: mode: PERMISSIVE
--- apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata:
name: finance namespace: foo
spec:
selector: matchLabels: app: finance mtls: mode: STRICT
``` Policy to allow mTLS strict for all workloads, but leave port 8080 to plaintext: ```yaml apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata:
name: default namespace: foo
spec:
selector: matchLabels: app: finance mtls: mode: STRICT portLevelMtls: 8080: mode: DISABLE
``` Policy to inherit mTLS mode from namespace (or mesh) settings, and overwrite settings for port 8080 ```yaml apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata:
name: default namespace: foo
spec:
selector: matchLabels: app: finance mtls: mode: UNSET portLevelMtls: 8080: mode: DISABLE
```
<!-- crd generation tags +cue-gen:PeerAuthentication:groupName:security.istio.io +cue-gen:PeerAuthentication:version:v1beta1 +cue-gen:PeerAuthentication:storageVersion +cue-gen:PeerAuthentication:annotations:helm.sh/resource-policy=keep +cue-gen:PeerAuthentication:labels:app=istio-pilot,chart=istio,istio=security,heritage=Tiller,release=istio +cue-gen:PeerAuthentication:subresource:status +cue-gen:PeerAuthentication:scope:Namespaced +cue-gen:PeerAuthentication:resource:categories=istio-io,security-istio-io,shortNames=pa +cue-gen:PeerAuthentication:preserveUnknownFields:false +cue-gen:PeerAuthentication:printerColumn:name=Mode,type=string,JSONPath=.spec.mtls.mode,description="Defines the mTLS mode used for peer authentication." +cue-gen:PeerAuthentication:printerColumn:name=Age,type=date,JSONPath=.metadata.creationTimestamp,description="CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata" -->
<!-- go code generation tags +kubetype-gen +kubetype-gen:groupVersion=security.istio.io/v1beta1 +genclient +k8s:deepcopy-gen=true -->
func (*PeerAuthentication) DeepCopy ¶
func (in *PeerAuthentication) DeepCopy() *PeerAuthentication
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PeerAuthentication.
func (*PeerAuthentication) DeepCopyInto ¶
func (in *PeerAuthentication) DeepCopyInto(out *PeerAuthentication)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*PeerAuthentication) DeepCopyObject ¶
func (in *PeerAuthentication) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type PeerAuthenticationList ¶
type PeerAuthenticationList struct { v1.TypeMeta `json:",inline"` // +optional v1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` Items []*PeerAuthentication `json:"items" protobuf:"bytes,2,rep,name=items"` }
PeerAuthenticationList is a collection of PeerAuthentications.
func (*PeerAuthenticationList) DeepCopy ¶
func (in *PeerAuthenticationList) DeepCopy() *PeerAuthenticationList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PeerAuthenticationList.
func (*PeerAuthenticationList) DeepCopyInto ¶
func (in *PeerAuthenticationList) DeepCopyInto(out *PeerAuthenticationList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*PeerAuthenticationList) DeepCopyObject ¶
func (in *PeerAuthenticationList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type RequestAuthentication ¶
type RequestAuthentication struct { v1.TypeMeta `json:",inline"` // +optional v1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` // Spec defines the implementation of this definition. // +optional Spec securityv1beta1.RequestAuthentication `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` Status v1alpha1.IstioStatus `json:"status"` }
RequestAuthentication defines what request authentication methods are supported by a workload. It will reject a request if the request contains invalid authentication information, based on the configured authentication rules. A request that does not contain any authentication credentials will be accepted but will not have any authenticated identity. To restrict access to authenticated requests only, this should be accompanied by an authorization rule. Examples:
- Require JWT for all request for workloads that have label `app:httpbin`
{{<tabset category-name="example">}} {{<tab name="v1beta1" category-value="v1beta1">}} ```yaml apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata:
name: httpbin namespace: foo
spec:
selector: matchLabels: app: httpbin jwtRules: - issuer: "issuer-foo" jwksUri: https://example.com/.well-known/jwks.json
--- apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:
name: httpbin namespace: foo
spec:
selector: matchLabels: app: httpbin rules: - from: - source: requestPrincipals: ["*"]
``` {{</tab>}}
{{<tab name="v1" category-value="v1">}} ```yaml apiVersion: security.istio.io/v1 kind: RequestAuthentication metadata:
name: httpbin namespace: foo
spec:
selector: matchLabels: app: httpbin jwtRules: - issuer: "issuer-foo" jwksUri: https://example.com/.well-known/jwks.json
--- apiVersion: security.istio.io/v1 kind: AuthorizationPolicy metadata:
name: httpbin namespace: foo
spec:
selector: matchLabels: app: httpbin rules: - from: - source: requestPrincipals: ["*"]
``` {{</tab>}} {{</tabset>}}
- A policy in the root namespace ("istio-system" by default) applies to workloads in all namespaces in a mesh. The following policy makes all workloads only accept requests that contain a valid JWT token.
{{<tabset category-name="example">}} {{<tab name="v1beta1" category-value="v1beta1">}} ```yaml apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata:
name: req-authn-for-all namespace: istio-system
spec:
jwtRules: - issuer: "issuer-foo" jwksUri: https://example.com/.well-known/jwks.json
--- apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:
name: require-jwt-for-all namespace: istio-system
spec:
rules: - from: - source: requestPrincipals: ["*"]
``` {{</tab>}}
{{<tab name="v1" category-value="v1">}} ```yaml apiVersion: security.istio.io/v1 kind: RequestAuthentication metadata:
name: req-authn-for-all namespace: istio-system
spec:
jwtRules: - issuer: "issuer-foo" jwksUri: https://example.com/.well-known/jwks.json
--- apiVersion: security.istio.io/v1 kind: AuthorizationPolicy metadata:
name: require-jwt-for-all namespace: istio-system
spec:
rules: - from: - source: requestPrincipals: ["*"]
``` {{</tab>}} {{</tabset>}}
- The next example shows how to set a different JWT requirement for a different `host`. The `RequestAuthentication` declares it can accept JWTs issued by either `issuer-foo` or `issuer-bar` (the public key set is implicitly set from the OpenID Connect spec).
{{<tabset category-name="example">}} {{<tab name="v1beta1" category-value="v1beta1">}} ```yaml apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata:
name: httpbin namespace: foo
spec:
selector: matchLabels: app: httpbin jwtRules: - issuer: "issuer-foo" - issuer: "issuer-bar"
--- apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:
name: httpbin namespace: foo
spec:
selector: matchLabels: app: httpbin rules: - from: - source: requestPrincipals: ["issuer-foo/*"] to: - operation: hosts: ["example.com"] - from: - source: requestPrincipals: ["issuer-bar/*"] to: - operation: hosts: ["another-host.com"]
``` {{</tab>}}
{{<tab name="v1" category-value="v1">}} ```yaml apiVersion: security.istio.io/v1 kind: RequestAuthentication metadata:
name: httpbin namespace: foo
spec:
selector: matchLabels: app: httpbin jwtRules: - issuer: "issuer-foo" - issuer: "issuer-bar"
--- apiVersion: security.istio.io/v1 kind: AuthorizationPolicy metadata:
name: httpbin namespace: foo
spec:
selector: matchLabels: app: httpbin rules: - from: - source: requestPrincipals: ["issuer-foo/*"] to: - operation: hosts: ["example.com"] - from: - source: requestPrincipals: ["issuer-bar/*"] to: - operation: hosts: ["another-host.com"]
``` {{</tab>}} {{</tabset>}}
- You can fine tune the authorization policy to set different requirement per path. For example, to require JWT on all paths, except /healthz, the same `RequestAuthentication` can be used, but the authorization policy could be:
{{<tabset category-name="example">}} {{<tab name="v1beta1" category-value="v1beta1">}} ```yaml apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:
name: httpbin namespace: foo
spec:
selector: matchLabels: app: httpbin rules: - from: - source: requestPrincipals: ["*"] - to: - operation: paths: ["/healthz"]
``` {{</tab>}}
{{<tab name="v1" category-value="v1">}} ```yaml apiVersion: security.istio.io/v1 kind: AuthorizationPolicy metadata:
name: httpbin namespace: foo
spec:
selector: matchLabels: app: httpbin rules: - from: - source: requestPrincipals: ["*"] - to: - operation: paths: ["/healthz"]
``` {{</tab>}} {{</tabset>}}
[Experimental] Routing based on derived [metadata](https://istio.io/latest/docs/reference/config/security/conditions/) is now supported. A prefix '@' is used to denote a match against internal metadata instead of the headers in the request. Currently this feature is only supported for the following metadata:
- `request.auth.claims.{claim-name}[.{sub-claim}]*` which are extracted from validated JWT tokens. The claim name currently does not support the `.` character. Examples: `request.auth.claims.sub` and `request.auth.claims.name.givenName`.
The use of matches against JWT claim metadata is only supported in Gateways. The following example shows:
- RequestAuthentication to decode and validate a JWT. This also makes the `@request.auth.claims` available for use in the VirtualService. - AuthorizationPolicy to check for valid principals in the request. This makes the JWT required for the request. - VirtualService to route the request based on the "sub" claim.
{{<tabset category-name="example">}} {{<tab name="v1beta1" category-value="v1beta1">}} ```yaml apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata:
name: jwt-on-ingress namespace: istio-system
spec:
selector: matchLabels: app: istio-ingressgateway jwtRules: - issuer: "example.com" jwksUri: https://example.com/.well-known/jwks.json
--- apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:
name: require-jwt namespace: istio-system
spec:
selector: matchLabels: app: istio-ingressgateway rules: - from: - source: requestPrincipals: ["*"]
--- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata:
name: route-jwt
spec:
hosts: - foo.prod.svc.cluster.local gateways: - istio-ingressgateway http: - name: "v2" match: - headers: "@request.auth.claims.sub": exact: "dev" route: - destination: host: foo.prod.svc.cluster.local subset: v2 - name: "default" route: - destination: host: foo.prod.svc.cluster.local subset: v1
``` {{</tab>}}
{{<tab name="v1" category-value="v1">}} ```yaml apiVersion: security.istio.io/v1 kind: RequestAuthentication metadata:
name: jwt-on-ingress namespace: istio-system
spec:
selector: matchLabels: app: istio-ingressgateway jwtRules: - issuer: "example.com" jwksUri: https://example.com/.well-known/jwks.json
--- apiVersion: security.istio.io/v1 kind: AuthorizationPolicy metadata:
name: require-jwt namespace: istio-system
spec:
selector: matchLabels: app: istio-ingressgateway rules: - from: - source: requestPrincipals: ["*"]
--- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata:
name: route-jwt
spec:
hosts: - foo.prod.svc.cluster.local gateways: - istio-ingressgateway http: - name: "v2" match: - headers: "@request.auth.claims.sub": exact: "dev" route: - destination: host: foo.prod.svc.cluster.local subset: v2 - name: "default" route: - destination: host: foo.prod.svc.cluster.local subset: v1
``` {{</tab>}} {{</tabset>}}
<!-- crd generation tags +cue-gen:RequestAuthentication:groupName:security.istio.io +cue-gen:RequestAuthentication:version:v1beta1 +cue-gen:RequestAuthentication:storageVersion +cue-gen:RequestAuthentication:annotations:helm.sh/resource-policy=keep +cue-gen:RequestAuthentication:labels:app=istio-pilot,chart=istio,istio=security,heritage=Tiller,release=istio +cue-gen:RequestAuthentication:subresource:status +cue-gen:RequestAuthentication:scope:Namespaced +cue-gen:RequestAuthentication:resource:categories=istio-io,security-istio-io,shortNames=ra +cue-gen:RequestAuthentication:preserveUnknownFields:false -->
<!-- go code generation tags +kubetype-gen +kubetype-gen:groupVersion=security.istio.io/v1beta1 +genclient +k8s:deepcopy-gen=true --> <!-- istio code generation tags +istio.io/sync-start -->
func (*RequestAuthentication) DeepCopy ¶
func (in *RequestAuthentication) DeepCopy() *RequestAuthentication
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RequestAuthentication.
func (*RequestAuthentication) DeepCopyInto ¶
func (in *RequestAuthentication) DeepCopyInto(out *RequestAuthentication)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*RequestAuthentication) DeepCopyObject ¶
func (in *RequestAuthentication) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type RequestAuthenticationList ¶
type RequestAuthenticationList struct { v1.TypeMeta `json:",inline"` // +optional v1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` Items []*RequestAuthentication `json:"items" protobuf:"bytes,2,rep,name=items"` }
RequestAuthenticationList is a collection of RequestAuthentications.
func (*RequestAuthenticationList) DeepCopy ¶
func (in *RequestAuthenticationList) DeepCopy() *RequestAuthenticationList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RequestAuthenticationList.
func (*RequestAuthenticationList) DeepCopyInto ¶
func (in *RequestAuthenticationList) DeepCopyInto(out *RequestAuthenticationList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*RequestAuthenticationList) DeepCopyObject ¶
func (in *RequestAuthenticationList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.