hongming
72
vendor/istio.io/api/rbac/v1alpha1/rbac.proto
generated
vendored
72
vendor/istio.io/api/rbac/v1alpha1/rbac.proto
generated
vendored
@@ -16,11 +16,9 @@ syntax = "proto3";
|
||||
|
||||
import "google/api/field_behavior.proto";
|
||||
|
||||
// $title: RBAC (deprecated)
|
||||
// $description: Configuration for Role Based Access Control.
|
||||
// $location: https://istio.io/docs/reference/config/security/istio.rbac.v1alpha1.html
|
||||
// $weight: 40
|
||||
// $aliases: [/docs/reference/config/authorization/istio.rbac.v1alpha1.html]
|
||||
// $schema: istio.rbac.v1alpha1.RbacConfig
|
||||
// $schema: istio.rbac.v1alpha1.ServiceRole
|
||||
// $schema: istio.rbac.v1alpha1.ServiceRoleBinding
|
||||
|
||||
// Note: The v1alpha1 RBAC policy is deprecated by the v1beta1 Authorization policy.
|
||||
// This page is kept for migration purpose and will be removed in Istio 1.6.
|
||||
@@ -32,7 +30,7 @@ import "google/api/field_behavior.proto";
|
||||
// the following standard fields:
|
||||
//
|
||||
// * services: a list of services.
|
||||
// * methods: A list of HTTP methods. You can set the value to `\*` to include all HTTP methods.
|
||||
// * methods: A list of HTTP methods. You can set the value to `["*"]` to include all HTTP methods.
|
||||
// This field should not be set for TCP services. The policy will be ignored.
|
||||
// For gRPC services, only `POST` is allowed; other methods will result in denying services.
|
||||
// * paths: HTTP paths or gRPC methods. Note that gRPC methods should be
|
||||
@@ -93,8 +91,21 @@ package istio.rbac.v1alpha1;
|
||||
|
||||
option go_package="istio.io/api/rbac/v1alpha1";
|
||||
|
||||
// $hide_from_docs
|
||||
// ServiceRole specification contains a list of access rules (permissions).
|
||||
//
|
||||
// <!-- crd generation tags
|
||||
// +cue-gen:ServiceRole:groupName:rbac.istio.io
|
||||
// +cue-gen:ServiceRole:version:v1alpha1
|
||||
// +cue-gen:ServiceRole:storageVersion
|
||||
// +cue-gen:ServiceRole:annotations:helm.sh/resource-policy=keep
|
||||
// +cue-gen:ServiceRole:labels:app=mixer,chart=istio,heritage=Tiller,release=istio,package=istio.io.mixer,istio=rbac
|
||||
// +cue-gen:ServiceRole:subresource:status
|
||||
// +cue-gen:ServiceRole:scope:Namespaced
|
||||
// +cue-gen:ServiceRole:resource:categories=istio-io,rbac-istio-io
|
||||
// +cue-gen:ServiceRole:preserveUnknownFields:false
|
||||
// -->
|
||||
//
|
||||
// <!-- go code generation tags
|
||||
// +kubetype-gen
|
||||
// +kubetype-gen:groupVersion=rbac.istio.io/v1alpha1
|
||||
@@ -106,6 +117,7 @@ message ServiceRole {
|
||||
repeated AccessRule rules = 1 [(google.api.field_behavior) = REQUIRED];
|
||||
}
|
||||
|
||||
// $hide_from_docs
|
||||
// AccessRule defines a permission to access a list of services.
|
||||
message AccessRule {
|
||||
// A list of service names.
|
||||
@@ -165,6 +177,7 @@ message AccessRule {
|
||||
// Note: It's an error to set ports and not_ports at the same time.
|
||||
repeated int32 not_ports = 10;
|
||||
|
||||
// $hide_from_docs
|
||||
// Definition of a custom constraint. The supported keys are listed in the "constraint and properties" page.
|
||||
message Constraint {
|
||||
// Key of the constraint.
|
||||
@@ -199,8 +212,26 @@ enum EnforcementMode {
|
||||
PERMISSIVE = 1;
|
||||
}
|
||||
|
||||
// $hide_from_docs
|
||||
// ServiceRoleBinding assigns a ServiceRole to a list of subjects.
|
||||
//
|
||||
// <!-- crd generation tags
|
||||
// +cue-gen:ServiceRoleBinding:groupName:rbac.istio.io
|
||||
// +cue-gen:ServiceRoleBinding:version:v1alpha1
|
||||
// +cue-gen:ServiceRoleBinding:storageVersion
|
||||
// +cue-gen:ServiceRoleBinding:annotations:helm.sh/resource-policy=keep
|
||||
// +cue-gen:ServiceRoleBinding:labels:app=mixer,chart=istio,heritage=Tiller,release=istio,package=istio.io.mixer,istio=rbac
|
||||
// +cue-gen:ServiceRoleBinding:subresource:status
|
||||
// +cue-gen:ServiceRoleBinding:scope:Namespaced
|
||||
// +cue-gen:ServiceRoleBinding:resource:categories=istio-io,rbac-istio-io
|
||||
// +cue-gen:ServiceRoleBinding:printerColumn:name=Reference,type=string,JSONPath=.spec.roleRef.name,description="The name of the ServiceRole object being referenced"
|
||||
// +cue-gen:ServiceRoleBinding:printerColumn:name=Age,type=date,JSONPath=.metadata.creationTimestamp,description="CreationTimestamp is a timestamp
|
||||
// representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations.
|
||||
// Clients may not set this value. It is represented in RFC3339 form and is in UTC.
|
||||
// Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata"
|
||||
// +cue-gen:ServiceRoleBinding:preserveUnknownFields:false
|
||||
// -->
|
||||
//
|
||||
// <!-- go code generation tags
|
||||
// +kubetype-gen
|
||||
// +kubetype-gen:groupVersion=rbac.istio.io/v1alpha1
|
||||
@@ -259,6 +290,7 @@ message ServiceRoleBinding {
|
||||
string role = 5;
|
||||
}
|
||||
|
||||
// $hide_from_docs
|
||||
// Subject defines an identity. The identity is either a user or identified by a set of `properties`.
|
||||
// The supported keys in `properties` are listed in "constraint and properties" page.
|
||||
message Subject {
|
||||
@@ -314,6 +346,7 @@ message Subject {
|
||||
// Next available field number: 12
|
||||
}
|
||||
|
||||
// $hide_from_docs
|
||||
// RoleRef refers to a role object.
|
||||
message RoleRef {
|
||||
// The type of the role being referenced.
|
||||
@@ -325,6 +358,7 @@ message RoleRef {
|
||||
string name = 2 [(google.api.field_behavior) = REQUIRED];
|
||||
}
|
||||
|
||||
// $hide_from_docs
|
||||
// RbacConfig implements the ClusterRbacConfig Custom Resource Definition for controlling Istio RBAC behavior.
|
||||
// The ClusterRbacConfig Custom Resource is a singleton where only one ClusterRbacConfig should be created
|
||||
// globally in the mesh and the namespace should be the same to other Istio components, which usually is `istio-system`.
|
||||
@@ -344,6 +378,30 @@ message RoleRef {
|
||||
// namespaces: [ "default" ]
|
||||
// ```
|
||||
//
|
||||
// <!-- crd generation tags
|
||||
// +cue-gen:RbacConfig:groupName:rbac.istio.io
|
||||
// +cue-gen:RbacConfig:version:v1alpha1
|
||||
// +cue-gen:RbacConfig:storageVersion
|
||||
// +cue-gen:RbacConfig:annotations:helm.sh/resource-policy=keep
|
||||
// +cue-gen:RbacConfig:labels:app=mixer,chart=istio,istio=rbac,heritage=Tiller,release=istio,package=istio.io.mixer
|
||||
// +cue-gen:RbacConfig:subresource:status
|
||||
// +cue-gen:RbacConfig:scope:Namespaced
|
||||
// +cue-gen:RbacConfig:resource:categories=istio-io,rbac-istio-io
|
||||
// +cue-gen:RbacConfig:preserveUnknownFields:false
|
||||
// -->
|
||||
//
|
||||
// <!-- crd generation tags
|
||||
// +cue-gen:ClusterRbacConfig:groupName:rbac.istio.io
|
||||
// +cue-gen:ClusterRbacConfig:version:v1alpha1
|
||||
// +cue-gen:ClusterRbacConfig:storageVersion
|
||||
// +cue-gen:ClusterRbacConfig:annotations:helm.sh/resource-policy=keep
|
||||
// +cue-gen:ClusterRbacConfig:labels:app=istio-pilot,chart=istio,istio=rbac,heritage=Tiller,release=istio
|
||||
// +cue-gen:ClusterRbacConfig:subresource:status
|
||||
// +cue-gen:ClusterRbacConfig:scope:Cluster
|
||||
// +cue-gen:ClusterRbacConfig:resource:categories=istio-io,rbac-istio-io
|
||||
// +cue-gen:ClusterRbacConfig:preserveUnknownFields:false
|
||||
// -->
|
||||
//
|
||||
// <!-- go code generation tags
|
||||
// +kubetype-gen
|
||||
// +kubetype-gen:groupVersion=rbac.istio.io/v1alpha1
|
||||
@@ -354,6 +412,7 @@ message RoleRef {
|
||||
// +k8s:deepcopy-gen=true
|
||||
// -->
|
||||
message RbacConfig {
|
||||
// $hide_from_docs
|
||||
enum Mode {
|
||||
// Disable Istio RBAC completely, Istio RBAC policies will not be enforced.
|
||||
OFF = 0;
|
||||
@@ -371,6 +430,7 @@ message RbacConfig {
|
||||
// Istio RBAC mode.
|
||||
Mode mode = 1;
|
||||
|
||||
// $hide_from_docs
|
||||
// Target defines a list of services or namespaces.
|
||||
message Target {
|
||||
// A list of services.
|
||||
|
||||
Reference in New Issue
Block a user