v1beta1

package
v1.8.0-alpha.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 27, 2020 License: Apache-2.0 Imports: 5 Imported by: 105

Documentation

Overview

Package has auto-generated kube type wrappers for raw types. +k8s:openapi-gen=true +k8s:deepcopy-gen=package +groupName=security.istio.io

Index

Constants

View Source 
const (
	// Package-wide consts from generator "register".
	GroupName = "security.istio.io"
)

Variables

View Source 
var (
	// Package-wide variables from generator "register".
	SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1beta1"}
	SchemeBuilder      = runtime.NewSchemeBuilder(addKnownTypes)

	AddToScheme = localSchemeBuilder.AddToScheme
)

Functions

func Resource 

func Resource(resource string) schema.GroupResource

Types

type AuthorizationPolicy 

type AuthorizationPolicy struct {
	v1.TypeMeta `json:",inline"`
	// +optional
	v1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`

	// Spec defines the implementation of this definition.
	// +optional
	Spec securityv1beta1.AuthorizationPolicy `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`

	Status v1alpha1.IstioStatus `json:"status"`
}

AuthorizationPolicy enables access control on workloads.

For example, the following authorization policy denies all requests to workloads in namespace foo.

```yaml apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: 

name: deny-all
namespace: foo

spec: 

{}

```

The following authorization policy allows all requests to workloads in namespace foo.

```yaml apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: 

name: allow-all
namespace: foo

spec: 

rules:
- {}

```

<!-- crd generation tags +cue-gen:AuthorizationPolicy:groupName:security.istio.io +cue-gen:AuthorizationPolicy:version:v1beta1 +cue-gen:AuthorizationPolicy:storageVersion +cue-gen:AuthorizationPolicy:annotations:helm.sh/resource-policy=keep +cue-gen:AuthorizationPolicy:labels:app=istio-pilot,chart=istio,istio=security,heritage=Tiller,release=istio +cue-gen:AuthorizationPolicy:subresource:status +cue-gen:AuthorizationPolicy:scope:Namespaced +cue-gen:AuthorizationPolicy:resource:categories=istio-io,security-istio-io,plural=authorizationpolicies +cue-gen:AuthorizationPolicy:preserveUnknownFields:false -->

<!-- go code generation tags +kubetype-gen +kubetype-gen:groupVersion=security.istio.io/v1beta1 +genclient +k8s:deepcopy-gen=true -->

func (*AuthorizationPolicy) DeepCopy 

func (in *AuthorizationPolicy) DeepCopy() *AuthorizationPolicy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthorizationPolicy.

func (*AuthorizationPolicy) DeepCopyInto 

func (in *AuthorizationPolicy) DeepCopyInto(out *AuthorizationPolicy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*AuthorizationPolicy) DeepCopyObject 

func (in *AuthorizationPolicy) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type AuthorizationPolicyList 

type AuthorizationPolicyList struct {
	v1.TypeMeta `json:",inline"`
	// +optional
	v1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
	Items       []AuthorizationPolicy `json:"items" protobuf:"bytes,2,rep,name=items"`
}

AuthorizationPolicyList is a collection of AuthorizationPolicies.

func (*AuthorizationPolicyList) DeepCopy 

func (in *AuthorizationPolicyList) DeepCopy() *AuthorizationPolicyList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthorizationPolicyList.

func (*AuthorizationPolicyList) DeepCopyInto 

func (in *AuthorizationPolicyList) DeepCopyInto(out *AuthorizationPolicyList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*AuthorizationPolicyList) DeepCopyObject 

func (in *AuthorizationPolicyList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type PeerAuthentication 

type PeerAuthentication struct {
	v1.TypeMeta `json:",inline"`
	// +optional
	v1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`

	// Spec defines the implementation of this definition.
	// +optional
	Spec securityv1beta1.PeerAuthentication `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`

	Status v1alpha1.IstioStatus `json:"status"`
}

PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar.

Examples:

Policy to allow mTLS traffic for all workloads under namespace `foo`: ```yaml apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: 

name: default
namespace: foo

spec: 

mtls:
  mode: STRICT

``` For mesh level, put the policy in root-namespace according to your Istio installation.

Policies to allow both mTLS & plaintext traffic for all workloads under namespace `foo`, but require mTLS for workload `finance`. ```yaml apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: 

name: default
namespace: foo

spec: 

mtls:
  mode: PERMISSIVE

--- apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: 

name: default
namespace: foo

spec: 

selector:
  matchLabels:
    app: finance
mtls:
  mode: STRICT

``` Policy to allow mTLS strict for all workloads, but leave port 8080 to plaintext: ```yaml apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: 

name: default
namespace: foo

spec: 

selector:
  matchLabels:
    app: finance
mtls:
  mode: STRICT
portLevelMtls:
  8080:
    mode: DISABLE

``` Policy to inherite mTLS mode from namespace (or mesh) settings, and overwrite settings for port 8080 ```yaml apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: 

name: default
namespace: foo

spec: 

selector:
  matchLabels:
    app: finance
mtls:
  mode: UNSET
portLevelMtls:
  8080:
    mode: DISABLE

```

<!-- crd generation tags +cue-gen:PeerAuthentication:groupName:security.istio.io +cue-gen:PeerAuthentication:version:v1beta1 +cue-gen:PeerAuthentication:storageVersion +cue-gen:PeerAuthentication:annotations:helm.sh/resource-policy=keep +cue-gen:PeerAuthentication:labels:app=istio-pilot,chart=istio,istio=security,heritage=Tiller,release=istio +cue-gen:PeerAuthentication:subresource:status +cue-gen:PeerAuthentication:scope:Namespaced +cue-gen:PeerAuthentication:resource:categories=istio-io,security-istio-io,shortNames=pa +cue-gen:PeerAuthentication:preserveUnknownFields:false -->

<!-- go code generation tags +kubetype-gen +kubetype-gen:groupVersion=security.istio.io/v1beta1 +genclient +k8s:deepcopy-gen=true -->

func (*PeerAuthentication) DeepCopy 

func (in *PeerAuthentication) DeepCopy() *PeerAuthentication

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PeerAuthentication.

func (*PeerAuthentication) DeepCopyInto 

func (in *PeerAuthentication) DeepCopyInto(out *PeerAuthentication)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PeerAuthentication) DeepCopyObject 

func (in *PeerAuthentication) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type PeerAuthenticationList 

type PeerAuthenticationList struct {
	v1.TypeMeta `json:",inline"`
	// +optional
	v1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
	Items       []PeerAuthentication `json:"items" protobuf:"bytes,2,rep,name=items"`
}

PeerAuthenticationList is a collection of PeerAuthentications.

func (*PeerAuthenticationList) DeepCopy 

func (in *PeerAuthenticationList) DeepCopy() *PeerAuthenticationList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PeerAuthenticationList.

func (*PeerAuthenticationList) DeepCopyInto 

func (in *PeerAuthenticationList) DeepCopyInto(out *PeerAuthenticationList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PeerAuthenticationList) DeepCopyObject 

func (in *PeerAuthenticationList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type RequestAuthentication 

type RequestAuthentication struct {
	v1.TypeMeta `json:",inline"`
	// +optional
	v1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`

	// Spec defines the implementation of this definition.
	// +optional
	Spec securityv1beta1.RequestAuthentication `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`

	Status v1alpha1.IstioStatus `json:"status"`
}

RequestAuthentication defines what request authentication methods are supported by a workload. It will reject a request if the request contains invalid authentication information, based on the configured authentication rules. A request that does not contain any authentication credentials will be accepted but will not have any authenticated identity. To restrict access to authenticated requests only, this should be accompanied by an authorization rule. Examples:

- Require JWT for all request for workloads that have label `app:httpbin`

```yaml apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: 

name: httpbin
namespace: foo

spec: 

selector:
  matchLabels:
    app: httpbin
jwtRules:
- issuer: "issuer-foo"
  jwksUri: https://example.com/.well-known/jwks.json

--- apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: 

name: httpbin
namespace: foo

spec: 

selector:
  matchLabels:
    app: httpbin
rules:
- from:
  - source:
      requestPrincipals: ["*"]

```

- The next example shows how to set a different JWT requirement for a different `host`. The `RequestAuthentication` declares it can accept JWTs issued by either `issuer-foo` or `issuer-bar` (the public key set is implicitly set from the OpenID Connect spec).

```yaml apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: 

name: httpbin
namespace: foo

spec: 

selector:
  matchLabels:
    app: httpbin
jwtRules:
- issuer: "issuer-foo"
- issuer: "issuer-bar"

--- apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: 

name: httpbin
namespace: foo

spec: 

 selector:
   matchLabels:
     app: httpbin
rules:
- from:
  - source:
      requestPrincipals: ["issuer-foo/*"]
  to:
    hosts: ["example.com"]
- from:
  - source:
      requestPrincipals: ["issuer-bar/*"]
  to:
    hosts: ["another-host.com"]

```

- You can fine tune the authorization policy to set different requirement per path. For example, to require JWT on all paths, except /healthz, the same `RequestAuthentication` can be used, but the authorization policy could be:

```yaml apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: 

name: httpbin
namespace: foo

spec: 

 selector:
   matchLabels:
     app: httpbin
rules:
- from:
  - source:
      requestPrincipals: ["*"]
- to:
  - operation:
      paths: ["/healthz"]

```

<!-- crd generation tags +cue-gen:RequestAuthentication:groupName:security.istio.io +cue-gen:RequestAuthentication:version:v1beta1 +cue-gen:RequestAuthentication:storageVersion +cue-gen:RequestAuthentication:annotations:helm.sh/resource-policy=keep +cue-gen:RequestAuthentication:labels:app=istio-pilot,chart=istio,istio=security,heritage=Tiller,release=istio +cue-gen:RequestAuthentication:subresource:status +cue-gen:RequestAuthentication:scope:Namespaced +cue-gen:RequestAuthentication:resource:categories=istio-io,security-istio-io,shortNames=ra +cue-gen:RequestAuthentication:preserveUnknownFields:false -->

<!-- go code generation tags +kubetype-gen +kubetype-gen:groupVersion=security.istio.io/v1beta1 +genclient +k8s:deepcopy-gen=true -->

func (*RequestAuthentication) DeepCopy 

func (in *RequestAuthentication) DeepCopy() *RequestAuthentication

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RequestAuthentication.

func (*RequestAuthentication) DeepCopyInto 

func (in *RequestAuthentication) DeepCopyInto(out *RequestAuthentication)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*RequestAuthentication) DeepCopyObject 

func (in *RequestAuthentication) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type RequestAuthenticationList 

type RequestAuthenticationList struct {
	v1.TypeMeta `json:",inline"`
	// +optional
	v1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
	Items       []RequestAuthentication `json:"items" protobuf:"bytes,2,rep,name=items"`
}

RequestAuthenticationList is a collection of RequestAuthentications.

func (*RequestAuthenticationList) DeepCopy 

func (in *RequestAuthenticationList) DeepCopy() *RequestAuthenticationList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RequestAuthenticationList.

func (*RequestAuthenticationList) DeepCopyInto 

func (in *RequestAuthenticationList) DeepCopyInto(out *RequestAuthenticationList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*RequestAuthenticationList) DeepCopyObject 

func (in *RequestAuthenticationList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.