admin/kubesphere
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

use istio client-go library instead of knative (#1661)

Browse Source 
use istio client-go library instead of knative
bump kubernetes dependency version
change code coverage to codecov
This commit is contained in:
zryfish
2019-12-13 11:26:18 +08:00
committed by GitHub
parent f249a6e081
commit ea88c8803d
2071 changed files with 354531 additions and 108336 deletions
Download Patch File Download Diff File Expand all files Collapse all files

181
vendor/istio.io/api/security/v1beta1/authorization.json generated vendored Normal file
View File

@@ -0,0 +1,181 @@
{
"openapi": "3.0.0",
"info": {
"title": "Configuration for access control on workloads.",
"version": "v1beta1"
},
"components": {
"schemas": {
"istio.security.v1beta1.AuthorizationPolicy": {
"description": "AuthorizationPolicy enables access control on workloads.",
"type": "object",
"properties": {
"selector": {
"$ref": "#/components/schemas/istio.type.v1beta1.WorkloadSelector"
},
"rules": {
"description": "Optional. A list of rules to specify the allowed access to the workload.",
"type": "array",
"items": {
"$ref": "#/components/schemas/istio.security.v1beta1.Rule"
}
}
}
},
"istio.security.v1beta1.Rule": {
"description": "Rule allows access from a list of sources to perform a list of operations when the condition is matched.",
"type": "object",
"properties": {
"from": {
"description": "Optional. from specifies the source of a request.",
"type": "array",
"items": {
"$ref": "#/components/schemas/istio.security.v1beta1.Rule.From"
}
},
"to": {
"description": "Optional. to specifies the operation of a request.",
"type": "array",
"items": {
"$ref": "#/components/schemas/istio.security.v1beta1.Rule.To"
}
},
"when": {
"description": "Optional. when specifies a list of additional conditions of a request.",
"type": "array",
"items": {
"$ref": "#/components/schemas/istio.security.v1beta1.Condition"
}
}
}
},
"istio.security.v1beta1.Rule.From": {
"description": "From includes a list or sources.",
"type": "object",
"properties": {
"source": {
"$ref": "#/components/schemas/istio.security.v1beta1.Source"
}
}
},
"istio.security.v1beta1.Rule.To": {
"description": "To includes a list or operations.",
"type": "object",
"properties": {
"operation": {
"$ref": "#/components/schemas/istio.security.v1beta1.Operation"
}
}
},
"istio.security.v1beta1.Condition": {
"description": "Condition specifies additional required attributes.",
"type": "object",
"properties": {
"key": {
"description": "The name of an Istio attribute. See the [full list of supported attributes](https://istio.io/docs/reference/config/).",
"type": "string",
"format": "string"
},
"values": {
"description": "The allowed values for the attribute.",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
}
}
},
"istio.security.v1beta1.Source": {
"description": "Source specifies the source identities of a request.",
"type": "object",
"properties": {
"principals": {
"description": "Optional. A list of source peer identities (i.e. service account), which matches to the \"source.principal\" attribute.",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
},
"requestPrincipals": {
"description": "Optional. A list of request identities (i.e. \"iss/sub\" claims), which matches to the \"request.auth.principal\" attribute.",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
},
"namespaces": {
"description": "Optional. A list of namespaces, which matches to the \"source.namespace\" attribute.",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
},
"ipBlocks": {
"description": "Optional. A list of IP blocks, which matches to the \"source.ip\" attribute. Single IP (e.g. \"1.2.3.4\") and CIDR (e.g. \"1.2.3.0/24\") are supported.",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
}
}
},
"istio.security.v1beta1.Operation": {
"description": "Operation specifies the operations of a request.",
"type": "object",
"properties": {
"hosts": {
"description": "Optional. A list of hosts, which matches to the \"request.host\" attribute.",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
},
"ports": {
"description": "Optional. A list of ports, which matches to the \"destination.port\" attribute.",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
},
"methods": {
"description": "Optional. A list of methods, which matches to the \"request.method\" attribute. For gRPC service, this should be the fully-qualified name in the form of \"/package.service/method\"",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
},
"paths": {
"description": "Optional. A list of paths, which matches to the \"request.url_path\" attribute.",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
}
}
},
"istio.type.v1beta1.WorkloadSelector": {
"description": "Optional. Workload selector decides where to apply the authorization policy. If not set, the authorization policy will be applied to all workloads in the same namespace as the authorization policy.",
"type": "object",
"properties": {
"matchLabels": {
"description": "One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. The scope of label search is restricted to the configuration namespace in which the resource is present.",
"type": "object",
"additionalProperties": {
"type": "string",
"format": "string"
}
}
}
}
}
}
}

2299
vendor/istio.io/api/security/v1beta1/authorization.pb.go generated vendored Normal file
View File

File diff suppressed because it is too large Load Diff

273
vendor/istio.io/api/security/v1beta1/authorization.proto generated vendored Normal file
View File

@@ -0,0 +1,273 @@
// Copyright 2019 Istio Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = "proto3";
import "google/api/field_behavior.proto";
import "type/v1beta1/selector.proto";
// $title: Authorization Policy
// $description: Configuration for access control on workloads.
// $location: https://istio.io/docs/reference/config/security/authorization-policy.html
// $weight: 20
// $aliases: [/docs/reference/config/authorization/authorization-policy.html]
// Istio Authorization Policy enables access control on workloads in the mesh.
//
// For example, the following authorization policy applies to workloads matched with
// label selector "app: httpbin, version: v1".
//
// It allows requests from:
// - service account "cluster.local/ns/default/sa/sleep" or
// - namespace "test"
// to access the workload with:
// - "GET" method at paths of prefix "/info" or,
// - "POST" method at path "/data".
// when the request has a valid JWT token issued by "https://accounts.google.com".
//
// Any other requests will be rejected.
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: AuthorizationPolicy
// metadata:
// name: httpbin
// namespace: foo
// spec:
// selector:
// matchLabels:
// app: httpbin
// version: v1
// rules:
// - from:
// - source:
// principals: ["cluster.local/ns/default/sa/sleep"]
// - source:
// namespaces: ["test"]
// to:
// - operation:
// methods: ["GET"]
// paths: ["/info*"]
// - operation:
// methods: ["POST"]
// paths: ["/data"]
// when:
// - key: request.auth.claims[iss]
// values: ["https://accounts.google.com"]
// ```
//
// Access control is enabled on a workload if there is any authorization policies selecting
// the workload. When access control is enabled, the default behavior is deny (deny-by-default)
// which means requests to the workload will be rejected if the request is not allowed by any of
// the authorization policies selecting the workload.
//
// Currently AuthorizationPolicy only supports "ALLOW" action. This means that
// if multiple authorization policies apply to the same workload, the effect is additive.
//
// Authorization Policy scope (target) is determined by "metadata/namespace" and
// an optional "selector".
// - "metadata/namespace" tells which namespace the policy applies. If set to root
// namespace, the policy applies to all namespaces in a mesh.
// - workload "selector" can be used to further restrict where a policy applies.
//
// For example,
//
// The following authorization policy applies to workloads containing label
// "app: httpbin" in namespace bar.
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: AuthorizationPolicy
// metadata:
// name: policy
// namespace: bar
// spec:
// selector:
// matchLabels:
// app: httpbin
// ```
//
// The following authorization policy applies to all workloads in namespace foo.
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: AuthorizationPolicy
// metadata:
// name: policy
// namespace: foo
// spec:
// ```
//
// The following authorization policy applies to workloads containing label
// "version: v1" in all namespaces in the mesh. (Assuming the root namespace is
// configured to "istio-config").
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: AuthorizationPolicy
// metadata:
// name: policy
// namespace: istio-config
// spec:
// selector:
// matchLabels:
// version: v1
// ```
package istio.security.v1beta1;
option go_package="istio.io/api/security/v1beta1";
// AuthorizationPolicy enables access control on workloads.
//
// For example, the following authorization policy denies all requests to workloads
// in namespace foo.
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: AuthorizationPolicy
// metadata:
// name: deny-all
// namespace: foo
// spec:
// ```
//
// The following authorization policy allows all requests to workloads in namespace
// foo.
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: AuthorizationPolicy
// metadata:
// name: allow-all
// namespace: foo
// spec:
// rules:
// - {}
// ```
//
// <!-- go code generation tags
// +kubetype-gen
// +kubetype-gen:groupVersion=security.istio.io/v1beta1
// +genclient
// +k8s:deepcopy-gen=true
// -->
message AuthorizationPolicy {
// Optional. Workload selector decides where to apply the authorization policy.
// If not set, the authorization policy will be applied to all workloads in the
// same namespace as the authorization policy.
istio.type.v1beta1.WorkloadSelector selector = 1;
// Optional. A list of rules to specify the allowed access to the workload.
//
// If not set, access is denied unless explicitly allowed by other authorization policy.
repeated Rule rules = 2;
}
// Rule allows access from a list of sources to perform a list of operations when
// the condition is matched.
//
// Any string field in the rule supports Exact, Prefix, Suffix and Presence match:
// - Exact match: "abc" will match on value "abc".
// - Prefix match: "abc*" will match on value "abc" and "abcd".
// - Suffix match: "*abc" will match on value "abc" and "xabc".
// - Presence match: "*" will match when value is not empty.
message Rule {
// From includes a list or sources.
message From {
// Source specifies the source of a request.
Source source = 1;
}
// Optional. from specifies the source of a request.
//
// If not set, any source is allowed.
repeated From from = 1;
// To includes a list or operations.
message To {
// Operation specifies the operation of a request.
Operation operation = 1;
}
// Optional. to specifies the operation of a request.
//
// If not set, any operation is allowed.
repeated To to = 2;
// Optional. when specifies a list of additional conditions of a request.
//
// If not set, any condition is allowed.
repeated Condition when = 3;
}
// Source specifies the source identities of a request.
message Source {
// Optional. A list of source peer identities (i.e. service account), which
// matches to the "source.principal" attribute.
//
// If not set, any principal is allowed.
repeated string principals = 1;
// Optional. A list of request identities (i.e. "iss/sub" claims), which
// matches to the "request.auth.principal" attribute.
//
// If not set, any request principal is allowed.
repeated string request_principals = 2;
// Optional. A list of namespaces, which matches to the "source.namespace"
// attribute.
//
// If not set, any namespace is allowed.
repeated string namespaces = 3;
// Optional. A list of IP blocks, which matches to the "source.ip" attribute.
// Single IP (e.g. "1.2.3.4") and CIDR (e.g. "1.2.3.0/24") are supported.
//
// If not set, any IP is allowed.
repeated string ip_blocks = 4;
}
// Operation specifies the operations of a request.
message Operation {
// Optional. A list of hosts, which matches to the "request.host" attribute.
//
// If not set, any host is allowed. Must be used only with HTTP.
repeated string hosts = 1;
// Optional. A list of ports, which matches to the "destination.port" attribute.
//
// If not set, any port is allowed.
repeated string ports = 2;
// Optional. A list of methods, which matches to the "request.method" attribute.
// For gRPC service, this should be the fully-qualified name in the form of
// "/package.service/method"
//
// If not set, any method is allowed. Must be used only with HTTP or gRPC.
repeated string methods = 3;
// Optional. A list of paths, which matches to the "request.url_path" attribute.
//
// If not set, any path is allowed. Must be used only with HTTP.
repeated string paths = 4;
}
// Condition specifies additional required attributes.
message Condition {
// The name of an Istio attribute.
// See the [full list of supported attributes](https://istio.io/docs/reference/config/).
string key = 1 [(google.api.field_behavior) = REQUIRED];
// The allowed values for the attribute.
repeated string values = 2 [(google.api.field_behavior) = REQUIRED];
}

125
vendor/istio.io/api/security/v1beta1/authorization_deepcopy.gen.go generated vendored Normal file
View File

@@ -0,0 +1,125 @@
// Code generated by protoc-gen-gogo. DO NOT EDIT.
// source: security/v1beta1/authorization.proto
// Istio Authorization Policy enables access control on workloads in the mesh.
//
// For example, the following authorization policy applies to workloads matched with
// label selector "app: httpbin, version: v1".
//
// It allows requests from:
// - service account "cluster.local/ns/default/sa/sleep" or
// - namespace "test"
// to access the workload with:
// - "GET" method at paths of prefix "/info" or,
// - "POST" method at path "/data".
// when the request has a valid JWT token issued by "https://accounts.google.com".
//
// Any other requests will be rejected.
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: AuthorizationPolicy
// metadata:
// name: httpbin
// namespace: foo
// spec:
// selector:
// matchLabels:
// app: httpbin
// version: v1
// rules:
// - from:
// - source:
// principals: ["cluster.local/ns/default/sa/sleep"]
// - source:
// namespaces: ["test"]
// to:
// - operation:
// methods: ["GET"]
// paths: ["/info*"]
// - operation:
// methods: ["POST"]
// paths: ["/data"]
// when:
// - key: request.auth.claims[iss]
// values: ["https://accounts.google.com"]
// ```
//
// Access control is enabled on a workload if there is any authorization policies selecting
// the workload. When access control is enabled, the default behavior is deny (deny-by-default)
// which means requests to the workload will be rejected if the request is not allowed by any of
// the authorization policies selecting the workload.
//
// Currently AuthorizationPolicy only supports "ALLOW" action. This means that
// if multiple authorization policies apply to the same workload, the effect is additive.
//
// Authorization Policy scope (target) is determined by "metadata/namespace" and
// an optional "selector".
// - "metadata/namespace" tells which namespace the policy applies. If set to root
// namespace, the policy applies to all namespaces in a mesh.
// - workload "selector" can be used to further restrict where a policy applies.
//
// For example,
//
// The following authorization policy applies to workloads containing label
// "app: httpbin" in namespace bar.
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: AuthorizationPolicy
// metadata:
// name: policy
// namespace: bar
// spec:
// selector:
// matchLabels:
// app: httpbin
// ```
//
// The following authorization policy applies to all workloads in namespace foo.
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: AuthorizationPolicy
// metadata:
// name: policy
// namespace: foo
// spec:
// ```
//
// The following authorization policy applies to workloads containing label
// "version: v1" in all namespaces in the mesh. (Assuming the root namespace is
// configured to "istio-config").
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: AuthorizationPolicy
// metadata:
// name: policy
// namespace: istio-config
// spec:
// selector:
// matchLabels:
// version: v1
// ```
package v1beta1
import (
fmt "fmt"
proto "github.com/gogo/protobuf/proto"
_ "istio.io/api/type/v1beta1"
_ "istio.io/gogo-genproto/googleapis/google/api"
math "math"
)
// Reference imports to suppress errors if they are not otherwise used.
var _ = proto.Marshal
var _ = fmt.Errorf
var _ = math.Inf
// DeepCopyInto supports using AuthorizationPolicy within kubernetes types, where deepcopy-gen is used.
func (in *AuthorizationPolicy) DeepCopyInto(out *AuthorizationPolicy) {
p := proto.Clone(in).(*AuthorizationPolicy)
*out = *p
}

203
vendor/istio.io/api/security/v1beta1/authorization_json.gen.go generated vendored Normal file
View File

@@ -0,0 +1,203 @@
// Code generated by protoc-gen-gogo. DO NOT EDIT.
// source: security/v1beta1/authorization.proto
// Istio Authorization Policy enables access control on workloads in the mesh.
//
// For example, the following authorization policy applies to workloads matched with
// label selector "app: httpbin, version: v1".
//
// It allows requests from:
// - service account "cluster.local/ns/default/sa/sleep" or
// - namespace "test"
// to access the workload with:
// - "GET" method at paths of prefix "/info" or,
// - "POST" method at path "/data".
// when the request has a valid JWT token issued by "https://accounts.google.com".
//
// Any other requests will be rejected.
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: AuthorizationPolicy
// metadata:
// name: httpbin
// namespace: foo
// spec:
// selector:
// matchLabels:
// app: httpbin
// version: v1
// rules:
// - from:
// - source:
// principals: ["cluster.local/ns/default/sa/sleep"]
// - source:
// namespaces: ["test"]
// to:
// - operation:
// methods: ["GET"]
// paths: ["/info*"]
// - operation:
// methods: ["POST"]
// paths: ["/data"]
// when:
// - key: request.auth.claims[iss]
// values: ["https://accounts.google.com"]
// ```
//
// Access control is enabled on a workload if there is any authorization policies selecting
// the workload. When access control is enabled, the default behavior is deny (deny-by-default)
// which means requests to the workload will be rejected if the request is not allowed by any of
// the authorization policies selecting the workload.
//
// Currently AuthorizationPolicy only supports "ALLOW" action. This means that
// if multiple authorization policies apply to the same workload, the effect is additive.
//
// Authorization Policy scope (target) is determined by "metadata/namespace" and
// an optional "selector".
// - "metadata/namespace" tells which namespace the policy applies. If set to root
// namespace, the policy applies to all namespaces in a mesh.
// - workload "selector" can be used to further restrict where a policy applies.
//
// For example,
//
// The following authorization policy applies to workloads containing label
// "app: httpbin" in namespace bar.
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: AuthorizationPolicy
// metadata:
// name: policy
// namespace: bar
// spec:
// selector:
// matchLabels:
// app: httpbin
// ```
//
// The following authorization policy applies to all workloads in namespace foo.
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: AuthorizationPolicy
// metadata:
// name: policy
// namespace: foo
// spec:
// ```
//
// The following authorization policy applies to workloads containing label
// "version: v1" in all namespaces in the mesh. (Assuming the root namespace is
// configured to "istio-config").
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: AuthorizationPolicy
// metadata:
// name: policy
// namespace: istio-config
// spec:
// selector:
// matchLabels:
// version: v1
// ```
package v1beta1
import (
bytes "bytes"
fmt "fmt"
github_com_gogo_protobuf_jsonpb "github.com/gogo/protobuf/jsonpb"
proto "github.com/gogo/protobuf/proto"
_ "istio.io/api/type/v1beta1"
_ "istio.io/gogo-genproto/googleapis/google/api"
math "math"
)
// Reference imports to suppress errors if they are not otherwise used.
var _ = proto.Marshal
var _ = fmt.Errorf
var _ = math.Inf
// MarshalJSON is a custom marshaler for AuthorizationPolicy
func (this *AuthorizationPolicy) MarshalJSON() ([]byte, error) {
str, err := AuthorizationMarshaler.MarshalToString(this)
return []byte(str), err
}
// UnmarshalJSON is a custom unmarshaler for AuthorizationPolicy
func (this *AuthorizationPolicy) UnmarshalJSON(b []byte) error {
return AuthorizationUnmarshaler.Unmarshal(bytes.NewReader(b), this)
}
// MarshalJSON is a custom marshaler for Rule
func (this *Rule) MarshalJSON() ([]byte, error) {
str, err := AuthorizationMarshaler.MarshalToString(this)
return []byte(str), err
}
// UnmarshalJSON is a custom unmarshaler for Rule
func (this *Rule) UnmarshalJSON(b []byte) error {
return AuthorizationUnmarshaler.Unmarshal(bytes.NewReader(b), this)
}
// MarshalJSON is a custom marshaler for Rule_From
func (this *Rule_From) MarshalJSON() ([]byte, error) {
str, err := AuthorizationMarshaler.MarshalToString(this)
return []byte(str), err
}
// UnmarshalJSON is a custom unmarshaler for Rule_From
func (this *Rule_From) UnmarshalJSON(b []byte) error {
return AuthorizationUnmarshaler.Unmarshal(bytes.NewReader(b), this)
}
// MarshalJSON is a custom marshaler for Rule_To
func (this *Rule_To) MarshalJSON() ([]byte, error) {
str, err := AuthorizationMarshaler.MarshalToString(this)
return []byte(str), err
}
// UnmarshalJSON is a custom unmarshaler for Rule_To
func (this *Rule_To) UnmarshalJSON(b []byte) error {
return AuthorizationUnmarshaler.Unmarshal(bytes.NewReader(b), this)
}
// MarshalJSON is a custom marshaler for Source
func (this *Source) MarshalJSON() ([]byte, error) {
str, err := AuthorizationMarshaler.MarshalToString(this)
return []byte(str), err
}
// UnmarshalJSON is a custom unmarshaler for Source
func (this *Source) UnmarshalJSON(b []byte) error {
return AuthorizationUnmarshaler.Unmarshal(bytes.NewReader(b), this)
}
// MarshalJSON is a custom marshaler for Operation
func (this *Operation) MarshalJSON() ([]byte, error) {
str, err := AuthorizationMarshaler.MarshalToString(this)
return []byte(str), err
}
// UnmarshalJSON is a custom unmarshaler for Operation
func (this *Operation) UnmarshalJSON(b []byte) error {
return AuthorizationUnmarshaler.Unmarshal(bytes.NewReader(b), this)
}
// MarshalJSON is a custom marshaler for Condition
func (this *Condition) MarshalJSON() ([]byte, error) {
str, err := AuthorizationMarshaler.MarshalToString(this)
return []byte(str), err
}
// UnmarshalJSON is a custom unmarshaler for Condition
func (this *Condition) UnmarshalJSON(b []byte) error {
return AuthorizationUnmarshaler.Unmarshal(bytes.NewReader(b), this)
}
var (
AuthorizationMarshaler = &github_com_gogo_protobuf_jsonpb.Marshaler{}
AuthorizationUnmarshaler = &github_com_gogo_protobuf_jsonpb.Unmarshaler{}
)

513
vendor/istio.io/api/security/v1beta1/istio.security.v1beta1.pb.html generated vendored Normal file
View File

@@ -0,0 +1,513 @@
---
title: Authorization Policy
description: Configuration for access control on workloads.
location: https://istio.io/docs/reference/config/security/authorization-policy.html
layout: protoc-gen-docs
generator: protoc-gen-docs
weight: 20
aliases: [/docs/reference/config/authorization/authorization-policy.html]
number_of_entries: 8
---
<p>Istio Authorization Policy enables access control on workloads in the mesh.</p>
<p>For example, the following authorization policy applies to workloads matched with
label selector &ldquo;app: httpbin, version: v1&rdquo;.</p>
<p>It allows requests from:
- service account &ldquo;cluster.local/ns/default/sa/sleep&rdquo; or
- namespace &ldquo;test&rdquo;
to access the workload with:
- &ldquo;GET&rdquo; method at paths of prefix &ldquo;/info&rdquo; or,
- &ldquo;POST&rdquo; method at path &ldquo;/data&rdquo;.
when the request has a valid JWT token issued by &ldquo;https://accounts.google.com&rdquo;.</p>
<p>Any other requests will be rejected.</p>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
version: v1
rules:
- from:
- source:
principals: [&quot;cluster.local/ns/default/sa/sleep&quot;]
- source:
namespaces: [&quot;test&quot;]
to:
- operation:
methods: [&quot;GET&quot;]
paths: [&quot;/info*&quot;]
- operation:
methods: [&quot;POST&quot;]
paths: [&quot;/data&quot;]
when:
- key: request.auth.claims[iss]
values: [&quot;https://accounts.google.com&quot;]
</code></pre>
<p>Access control is enabled on a workload if there is any authorization policies selecting
the workload. When access control is enabled, the default behavior is deny (deny-by-default)
which means requests to the workload will be rejected if the request is not allowed by any of
the authorization policies selecting the workload.</p>
<p>Currently AuthorizationPolicy only supports &ldquo;ALLOW&rdquo; action. This means that
if multiple authorization policies apply to the same workload, the effect is additive.</p>
<p>Authorization Policy scope (target) is determined by &ldquo;metadata/namespace&rdquo; and
an optional &ldquo;selector&rdquo;.
- &ldquo;metadata/namespace&rdquo; tells which namespace the policy applies. If set to root
namespace, the policy applies to all namespaces in a mesh.
- workload &ldquo;selector&rdquo; can be used to further restrict where a policy applies.</p>
<p>For example,</p>
<p>The following authorization policy applies to workloads containing label
&ldquo;app: httpbin&rdquo; in namespace bar.</p>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: policy
namespace: bar
spec:
selector:
matchLabels:
app: httpbin
</code></pre>
<p>The following authorization policy applies to all workloads in namespace foo.</p>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: policy
namespace: foo
spec:
</code></pre>
<p>The following authorization policy applies to workloads containing label
&ldquo;version: v1&rdquo; in all namespaces in the mesh. (Assuming the root namespace is
configured to &ldquo;istio-config&rdquo;).</p>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: policy
namespace: istio-config
spec:
selector:
matchLabels:
version: v1
</code></pre>
<h2 id="AuthorizationPolicy">AuthorizationPolicy</h2>
<section>
<p>AuthorizationPolicy enables access control on workloads.</p>
<p>For example, the following authorization policy denies all requests to workloads
in namespace foo.</p>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: deny-all
namespace: foo
spec:
</code></pre>
<p>The following authorization policy allows all requests to workloads in namespace
foo.</p>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-all
namespace: foo
spec:
rules:
- &lbrace;}
</code></pre>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="AuthorizationPolicy-selector">
<td><code>selector</code></td>
<td><code><a href="https://istio.io/docs/reference/config/type/v1beta1/workload-selector.html#WorkloadSelector">WorkloadSelector</a></code></td>
<td>
<p>Optional. Workload selector decides where to apply the authorization policy.
If not set, the authorization policy will be applied to all workloads in the
same namespace as the authorization policy.</p>
</td>
<td>
No
</td>
</tr>
<tr id="AuthorizationPolicy-rules">
<td><code>rules</code></td>
<td><code><a href="#Rule">Rule[]</a></code></td>
<td>
<p>Optional. A list of rules to specify the allowed access to the workload.</p>
<p>If not set, access is denied unless explicitly allowed by other authorization policy.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Condition">Condition</h2>
<section>
<p>Condition specifies additional required attributes.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Condition-key">
<td><code>key</code></td>
<td><code>string</code></td>
<td>
<p>The name of an Istio attribute.
See the <a href="https://istio.io/docs/reference/config/">full list of supported attributes</a>.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="Condition-values">
<td><code>values</code></td>
<td><code>string[]</code></td>
<td>
<p>The allowed values for the attribute.</p>
</td>
<td>
Yes
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Operation">Operation</h2>
<section>
<p>Operation specifies the operations of a request.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Operation-hosts">
<td><code>hosts</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of hosts, which matches to the &ldquo;request.host&rdquo; attribute.</p>
<p>If not set, any host is allowed. Must be used only with HTTP.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Operation-ports">
<td><code>ports</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of ports, which matches to the &ldquo;destination.port&rdquo; attribute.</p>
<p>If not set, any port is allowed.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Operation-methods">
<td><code>methods</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of methods, which matches to the &ldquo;request.method&rdquo; attribute.
For gRPC service, this should be the fully-qualified name in the form of
&ldquo;/package.service/method&rdquo;</p>
<p>If not set, any method is allowed. Must be used only with HTTP or gRPC.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Operation-paths">
<td><code>paths</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of paths, which matches to the &ldquo;request.url_path&rdquo; attribute.</p>
<p>If not set, any path is allowed. Must be used only with HTTP.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Rule">Rule</h2>
<section>
<p>Rule allows access from a list of sources to perform a list of operations when
the condition is matched.</p>
<p>Any string field in the rule supports Exact, Prefix, Suffix and Presence match:
- Exact match: &ldquo;abc&rdquo; will match on value &ldquo;abc&rdquo;.
- Prefix match: &ldquo;abc<em>&rdquo; will match on value &ldquo;abc&rdquo; and &ldquo;abcd&rdquo;.
- Suffix match: &ldquo;</em>abc&rdquo; will match on value &ldquo;abc&rdquo; and &ldquo;xabc&rdquo;.
- Presence match: &ldquo;*&rdquo; will match when value is not empty.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Rule-from">
<td><code>from</code></td>
<td><code><a href="#Rule-From">From[]</a></code></td>
<td>
<p>Optional. from specifies the source of a request.</p>
<p>If not set, any source is allowed.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Rule-to">
<td><code>to</code></td>
<td><code><a href="#Rule-To">To[]</a></code></td>
<td>
<p>Optional. to specifies the operation of a request.</p>
<p>If not set, any operation is allowed.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Rule-when">
<td><code>when</code></td>
<td><code><a href="#Condition">Condition[]</a></code></td>
<td>
<p>Optional. when specifies a list of additional conditions of a request.</p>
<p>If not set, any condition is allowed.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Rule-From">Rule.From</h2>
<section>
<p>From includes a list or sources.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Rule-From-source">
<td><code>source</code></td>
<td><code><a href="#Source">Source</a></code></td>
<td>
<p>Source specifies the source of a request.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Rule-To">Rule.To</h2>
<section>
<p>To includes a list or operations.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Rule-To-operation">
<td><code>operation</code></td>
<td><code><a href="#Operation">Operation</a></code></td>
<td>
<p>Operation specifies the operation of a request.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Source">Source</h2>
<section>
<p>Source specifies the source identities of a request.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Source-principals">
<td><code>principals</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of source peer identities (i.e. service account), which
matches to the &ldquo;source.principal&rdquo; attribute.</p>
<p>If not set, any principal is allowed.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Source-request_principals">
<td><code>requestPrincipals</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of request identities (i.e. &ldquo;iss/sub&rdquo; claims), which
matches to the &ldquo;request.auth.principal&rdquo; attribute.</p>
<p>If not set, any request principal is allowed.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Source-namespaces">
<td><code>namespaces</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of namespaces, which matches to the &ldquo;source.namespace&rdquo;
attribute.</p>
<p>If not set, any namespace is allowed.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Source-ip_blocks">
<td><code>ipBlocks</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of IP blocks, which matches to the &ldquo;source.ip&rdquo; attribute.
Single IP (e.g. &ldquo;1.2.3.4&rdquo;) and CIDR (e.g. &ldquo;1.2.3.0/24&rdquo;) are supported.</p>
<p>If not set, any IP is allowed.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="istio-type-v1beta1-WorkloadSelector">istio.type.v1beta1.WorkloadSelector</h2>
<section>
<p>WorkloadSelector specifies the criteria used to determine if a policy can be applied
to a proxy. The matching criteria includes the metadata associated with a proxy,
workload instance info such as labels attached to the pod/VM, or any other info
that the proxy provides to Istio during the initial handshake. If multiple conditions are
specified, all conditions need to match in order for the workload instance to be
selected. Currently, only label based selection mechanism is supported.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="istio-type-v1beta1-WorkloadSelector-match_labels">
<td><code>matchLabels</code></td>
<td><code>map&lt;string,&nbsp;string&gt;</code></td>
<td>
<p>One or more labels that indicate a specific set of pods/VMs
on which a policy should be applied. The scope of label search is restricted to
the configuration namespace in which the resource is present.</p>
</td>
<td>
Yes
</td>
</tr>
</tbody>
</table>
</section>