admin/kubesphere
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update dependencies

Browse Source 
Signed-off-by: hongming <talonwan@yunify.com>
This commit is contained in:
hongming
2020-12-22 16:48:26 +08:00
parent 4a11a50544
commit fe6c5de00f
2857 changed files with 252134 additions and 115656 deletions
Download Patch File Download Diff File Expand all files Collapse all files

105
vendor/istio.io/api/security/v1beta1/authorization.json → vendor/istio.io/api/security/v1beta1/authorization.gen.json generated vendored
View File

@@ -14,16 +14,19 @@
"$ref": "#/components/schemas/istio.type.v1beta1.WorkloadSelector"
},
"rules": {
"description": "Optional. A list of rules to specify the allowed access to the workload.",
"description": "Optional. A list of rules to match the request. A match occurs when at least one rule matches the request.",
"type": "array",
"items": {
"$ref": "#/components/schemas/istio.security.v1beta1.Rule"
}
},
"action": {
"$ref": "#/components/schemas/istio.security.v1beta1.AuthorizationPolicy.Action"
}
}
},
"istio.security.v1beta1.Rule": {
"description": "Rule allows access from a list of sources to perform a list of operations when the condition is matched.",
"description": "Rule matches requests from a list of sources that perform a list of operations subject to a list of conditions. A match occurs when at least one source, operation and condition matches the request. An empty rule is always matched.",
"type": "object",
"properties": {
"from": {
@@ -49,6 +52,14 @@
}
}
},
"istio.security.v1beta1.AuthorizationPolicy.Action": {
"description": "Action specifies the operation to take.",
"type": "string",
"enum": [
"ALLOW",
"DENY"
]
},
"istio.security.v1beta1.Rule.From": {
"description": "From includes a list or sources.",
"type": "object",
@@ -72,12 +83,20 @@
"type": "object",
"properties": {
"key": {
"description": "The name of an Istio attribute. See the [full list of supported attributes](https://istio.io/docs/reference/config/).",
"description": "The name of an Istio attribute. See the [full list of supported attributes](https://istio.io/docs/reference/config/security/conditions/).",
"type": "string",
"format": "string"
},
"values": {
"description": "The allowed values for the attribute.",
"description": "Optional. A list of allowed values for the attribute. Note: at least one of values or not_values must be set.",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
},
"notValues": {
"description": "Optional. A list of negative match of values for the attribute. Note: at least one of values or not_values must be set.",
"type": "array",
"items": {
"type": "string",
@@ -87,11 +106,19 @@
}
},
"istio.security.v1beta1.Source": {
"description": "Source specifies the source identities of a request.",
"description": "Source specifies the source identities of a request. Fields in the source are ANDed together.",
"type": "object",
"properties": {
"principals": {
"description": "Optional. A list of source peer identities (i.e. service account), which matches to the \"source.principal\" attribute.",
"description": "Optional. A list of source peer identities (i.e. service account), which matches to the \"source.principal\" attribute. This field requires mTLS enabled.",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
},
"notPrincipals": {
"description": "Optional. A list of negative match of source peer identities.",
"type": "array",
"items": {
"type": "string",
@@ -106,8 +133,24 @@
"format": "string"
}
},
"notRequestPrincipals": {
"description": "Optional. A list of negative match of request identities.",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
},
"namespaces": {
"description": "Optional. A list of namespaces, which matches to the \"source.namespace\" attribute.",
"description": "Optional. A list of namespaces, which matches to the \"source.namespace\" attribute. This field requires mTLS enabled.",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
},
"notNamespaces": {
"description": "Optional. A list of negative match of namespaces.",
"type": "array",
"items": {
"type": "string",
@@ -121,11 +164,19 @@
"type": "string",
"format": "string"
}
},
"notIpBlocks": {
"description": "Optional. A list of negative match of IP blocks.",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
}
}
},
"istio.security.v1beta1.Operation": {
"description": "Operation specifies the operations of a request.",
"description": "Operation specifies the operations of a request. Fields in the operation are ANDed together.",
"type": "object",
"properties": {
"hosts": {
@@ -136,6 +187,14 @@
"format": "string"
}
},
"notHosts": {
"description": "Optional. A list of negative match of hosts.",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
},
"ports": {
"description": "Optional. A list of ports, which matches to the \"destination.port\" attribute.",
"type": "array",
@@ -144,8 +203,24 @@
"format": "string"
}
},
"notPorts": {
"description": "Optional. A list of negative match of ports.",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
},
"methods": {
"description": "Optional. A list of methods, which matches to the \"request.method\" attribute. For gRPC service, this should be the fully-qualified name in the form of \"/package.service/method\"",
"description": "Optional. A list of methods, which matches to the \"request.method\" attribute. For gRPC service, this will always be \"POST\".",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
},
"notMethods": {
"description": "Optional. A list of negative match of methods.",
"type": "array",
"items": {
"type": "string",
@@ -153,7 +228,15 @@
}
},
"paths": {
"description": "Optional. A list of paths, which matches to the \"request.url_path\" attribute.",
"description": "Optional. A list of paths, which matches to the \"request.url_path\" attribute. For gRPC service, this will be the fully-qualified name in the form of \"/package.service/method\".",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
},
"notPaths": {
"description": "Optional. A list of negative match of paths.",
"type": "array",
"items": {
"type": "string",
@@ -163,7 +246,7 @@
}
},
"istio.type.v1beta1.WorkloadSelector": {
"description": "Optional. Workload selector decides where to apply the authorization policy. If not set, the authorization policy will be applied to all workloads in the same namespace as the authorization policy.",
"description": "The selector determines the workloads to apply the RequestAuthentication on. If not set, the policy will be applied to all workloads in the same namespace as the policy.",
"type": "object",
"properties": {
"matchLabels": {

775
vendor/istio.io/api/security/v1beta1/authorization.pb.go generated vendored
View File

File diff suppressed because it is too large Load Diff

624
vendor/istio.io/api/security/v1beta1/istio.security.v1beta1.pb.html → vendor/istio.io/api/security/v1beta1/authorization.pb.html generated vendored
View File

@@ -4,24 +4,45 @@ description: Configuration for access control on workloads.
location: https://istio.io/docs/reference/config/security/authorization-policy.html
layout: protoc-gen-docs
generator: protoc-gen-docs
schema: istio.security.v1beta1.AuthorizationPolicy
weight: 20
aliases: [/docs/reference/config/authorization/authorization-policy.html]
aliases: [/docs/reference/config/authorization/authorization-policy]
number_of_entries: 8
---
<p>Istio Authorization Policy enables access control on workloads in the mesh.</p>
<p>For example, the following authorization policy applies to workloads matched with
label selector &ldquo;app: httpbin, version: v1&rdquo;.</p>
<p>Authorization policy supports both allow and deny policies. When allow and
deny policies are used for a workload at the same time, the deny policies are
evaluated first. The evaluation is determined by the following rules:</p>
<p>It allows requests from:
- service account &ldquo;cluster.local/ns/default/sa/sleep&rdquo; or
- namespace &ldquo;test&rdquo;
to access the workload with:
- &ldquo;GET&rdquo; method at paths of prefix &ldquo;/info&rdquo; or,
- &ldquo;POST&rdquo; method at path &ldquo;/data&rdquo;.
when the request has a valid JWT token issued by &ldquo;https://accounts.google.com&rdquo;.</p>
<ol>
<li>If there are any DENY policies that match the request, deny the request.</li>
<li>If there are no ALLOW policies for the workload, allow the request.</li>
<li>If any of the ALLOW policies match the request, allow the request.</li>
<li>Deny the request.</li>
</ol>
<p>Any other requests will be rejected.</p>
<p>For example, the following authorization policy sets the <code>action</code> to &ldquo;ALLOW&rdquo;
to create an allow policy. The default action is &ldquo;ALLOW&rdquo; but it is useful
to be explicit in the policy.</p>
<p>It allows requests from:</p>
<ul>
<li>service account &ldquo;cluster.local/ns/default/sa/sleep&rdquo; or</li>
<li>namespace &ldquo;test&rdquo;</li>
</ul>
<p>to access the workload with:</p>
<ul>
<li>&ldquo;GET&rdquo; method at paths of prefix &ldquo;/info&rdquo; or,</li>
<li>&ldquo;POST&rdquo; method at path &ldquo;/data&rdquo;.</li>
</ul>
<p>when the request has a valid JWT token issued by &ldquo;https://accounts.google.com&rdquo;.</p>
<p>Any other requests will be denied.</p>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
@@ -29,10 +50,7 @@ metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
version: v1
action: ALLOW
rules:
- from:
- source:
@@ -51,19 +69,34 @@ spec:
values: [&quot;https://accounts.google.com&quot;]
</code></pre>
<p>Access control is enabled on a workload if there is any authorization policies selecting
the workload. When access control is enabled, the default behavior is deny (deny-by-default)
which means requests to the workload will be rejected if the request is not allowed by any of
the authorization policies selecting the workload.</p>
<p>The following is another example that sets <code>action</code> to &ldquo;DENY&rdquo; to create a deny policy.
It denies requests from the &ldquo;dev&rdquo; namespace to the &ldquo;POST&rdquo; method on all workloads
in the &ldquo;foo&rdquo; namespace.</p>
<p>Currently AuthorizationPolicy only supports &ldquo;ALLOW&rdquo; action. This means that
if multiple authorization policies apply to the same workload, the effect is additive.</p>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
action: DENY
rules:
- from:
- source:
namespaces: [&quot;dev&quot;]
to:
- operation:
methods: [&quot;POST&quot;]
</code></pre>
<p>Authorization Policy scope (target) is determined by &ldquo;metadata/namespace&rdquo; and
an optional &ldquo;selector&rdquo;.
- &ldquo;metadata/namespace&rdquo; tells which namespace the policy applies. If set to root
namespace, the policy applies to all namespaces in a mesh.
- workload &ldquo;selector&rdquo; can be used to further restrict where a policy applies.</p>
an optional &ldquo;selector&rdquo;.</p>
<ul>
<li>&ldquo;metadata/namespace&rdquo; tells which namespace the policy applies. If set to root
namespace, the policy applies to all namespaces in a mesh.</li>
<li>workload &ldquo;selector&rdquo; can be used to further restrict where a policy applies.</li>
</ul>
<p>For example,</p>
@@ -89,6 +122,7 @@ metadata:
name: policy
namespace: foo
spec:
{}
</code></pre>
<p>The following authorization policy applies to workloads containing label
@@ -119,6 +153,7 @@ metadata:
name: deny-all
namespace: foo
spec:
{}
</code></pre>
<p>The following authorization policy allows all requests to workloads in namespace
@@ -131,7 +166,7 @@ metadata:
namespace: foo
spec:
rules:
- &lbrace;}
- {}
</code></pre>
<table class="message-fields">
@@ -146,7 +181,7 @@ spec:
<tbody>
<tr id="AuthorizationPolicy-selector">
<td><code>selector</code></td>
<td><code><a href="https://istio.io/docs/reference/config/type/v1beta1/workload-selector.html#WorkloadSelector">WorkloadSelector</a></code></td>
<td><code><a href="https://istio.io/latest/docs/reference/config/networking/sidecar/#WorkloadSelector">WorkloadSelector</a></code></td>
<td>
<p>Optional. Workload selector decides where to apply the authorization policy.
If not set, the authorization policy will be applied to all workloads in the
@@ -161,120 +196,22 @@ No
<td><code>rules</code></td>
<td><code><a href="#Rule">Rule[]</a></code></td>
<td>
<p>Optional. A list of rules to specify the allowed access to the workload.</p>
<p>Optional. A list of rules to match the request. A match occurs when at least
one rule matches the request.</p>
<p>If not set, access is denied unless explicitly allowed by other authorization policy.</p>
<p>If not set, the match will never occur. This is equivalent to setting a
default of deny for the target workloads.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Condition">Condition</h2>
<section>
<p>Condition specifies additional required attributes.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Condition-key">
<td><code>key</code></td>
<td><code>string</code></td>
<tr id="AuthorizationPolicy-action">
<td><code>action</code></td>
<td><code><a href="#AuthorizationPolicy-Action">Action</a></code></td>
<td>
<p>The name of an Istio attribute.
See the <a href="https://istio.io/docs/reference/config/">full list of supported attributes</a>.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="Condition-values">
<td><code>values</code></td>
<td><code>string[]</code></td>
<td>
<p>The allowed values for the attribute.</p>
</td>
<td>
Yes
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Operation">Operation</h2>
<section>
<p>Operation specifies the operations of a request.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Operation-hosts">
<td><code>hosts</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of hosts, which matches to the &ldquo;request.host&rdquo; attribute.</p>
<p>If not set, any host is allowed. Must be used only with HTTP.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Operation-ports">
<td><code>ports</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of ports, which matches to the &ldquo;destination.port&rdquo; attribute.</p>
<p>If not set, any port is allowed.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Operation-methods">
<td><code>methods</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of methods, which matches to the &ldquo;request.method&rdquo; attribute.
For gRPC service, this should be the fully-qualified name in the form of
&ldquo;/package.service/method&rdquo;</p>
<p>If not set, any method is allowed. Must be used only with HTTP or gRPC.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Operation-paths">
<td><code>paths</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of paths, which matches to the &ldquo;request.url_path&rdquo; attribute.</p>
<p>If not set, any path is allowed. Must be used only with HTTP.</p>
<p>Optional. The action to take if the request is matched with the rules.</p>
</td>
<td>
@@ -286,14 +223,18 @@ No
</section>
<h2 id="Rule">Rule</h2>
<section>
<p>Rule allows access from a list of sources to perform a list of operations when
the condition is matched.</p>
<p>Rule matches requests from a list of sources that perform a list of operations subject to a
list of conditions. A match occurs when at least one source, operation and condition
matches the request. An empty rule is always matched.</p>
<p>Any string field in the rule supports Exact, Prefix, Suffix and Presence match:
- Exact match: &ldquo;abc&rdquo; will match on value &ldquo;abc&rdquo;.
- Prefix match: &ldquo;abc<em>&rdquo; will match on value &ldquo;abc&rdquo; and &ldquo;abcd&rdquo;.
- Suffix match: &ldquo;</em>abc&rdquo; will match on value &ldquo;abc&rdquo; and &ldquo;xabc&rdquo;.
- Presence match: &ldquo;*&rdquo; will match when value is not empty.</p>
<p>Any string field in the rule supports Exact, Prefix, Suffix and Presence match:</p>
<ul>
<li>Exact match: &ldquo;abc&rdquo; will match on value &ldquo;abc&rdquo;.</li>
<li>Prefix match: &ldquo;abc*&rdquo; will match on value &ldquo;abc&rdquo; and &ldquo;abcd&rdquo;.</li>
<li>Suffix match: &ldquo;*abc&rdquo; will match on value &ldquo;abc&rdquo; and &ldquo;xabc&rdquo;.</li>
<li>Presence match: &ldquo;*&rdquo; will match when value is not empty.</li>
</ul>
<table class="message-fields">
<thead>
@@ -339,6 +280,310 @@ No
<p>If not set, any condition is allowed.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Source">Source</h2>
<section>
<p>Source specifies the source identities of a request. Fields in the source are
ANDed together.</p>
<p>For example, the following source matches if the principal is &ldquo;admin&rdquo; or &ldquo;dev&rdquo;
and the namespace is &ldquo;prod&rdquo; or &ldquo;test&rdquo; and the ip is not &ldquo;1.2.3.4&rdquo;.</p>
<pre><code class="language-yaml">principals: [&quot;admin&quot;, &quot;dev&quot;]
namespaces: [&quot;prod&quot;, &quot;test&quot;]
not_ipblocks: [&quot;1.2.3.4&quot;]
</code></pre>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Source-principals">
<td><code>principals</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of source peer identities (i.e. service account), which
matches to the &ldquo;source.principal&rdquo; attribute. This field requires mTLS enabled.</p>
<p>If not set, any principal is allowed.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Source-not_principals">
<td><code>notPrincipals</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of negative match of source peer identities.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Source-request_principals">
<td><code>requestPrincipals</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of request identities (i.e. &ldquo;iss/sub&rdquo; claims), which
matches to the &ldquo;request.auth.principal&rdquo; attribute.</p>
<p>If not set, any request principal is allowed.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Source-not_request_principals">
<td><code>notRequestPrincipals</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of negative match of request identities.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Source-namespaces">
<td><code>namespaces</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of namespaces, which matches to the &ldquo;source.namespace&rdquo;
attribute. This field requires mTLS enabled.</p>
<p>If not set, any namespace is allowed.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Source-not_namespaces">
<td><code>notNamespaces</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of negative match of namespaces.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Source-ip_blocks">
<td><code>ipBlocks</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of IP blocks, which matches to the &ldquo;source.ip&rdquo; attribute.
Single IP (e.g. &ldquo;1.2.3.4&rdquo;) and CIDR (e.g. &ldquo;1.2.3.0/24&rdquo;) are supported.</p>
<p>If not set, any IP is allowed.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Source-not_ip_blocks">
<td><code>notIpBlocks</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of negative match of IP blocks.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Operation">Operation</h2>
<section>
<p>Operation specifies the operations of a request. Fields in the operation are
ANDed together.</p>
<p>For example, the following operation matches if the host has suffix &ldquo;.example.com&rdquo;
and the method is &ldquo;GET&rdquo; or &ldquo;HEAD&rdquo; and the path doesn&rsquo;t have prefix &ldquo;/admin&rdquo;.</p>
<pre><code class="language-yaml">hosts: [&quot;*.example.com&quot;]
methods: [&quot;GET&quot;, &quot;HEAD&quot;]
not_paths: [&quot;/admin*&quot;]
</code></pre>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Operation-hosts">
<td><code>hosts</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of hosts, which matches to the &ldquo;request.host&rdquo; attribute.</p>
<p>If not set, any host is allowed. Must be used only with HTTP.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Operation-not_hosts">
<td><code>notHosts</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of negative match of hosts.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Operation-ports">
<td><code>ports</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of ports, which matches to the &ldquo;destination.port&rdquo; attribute.</p>
<p>If not set, any port is allowed.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Operation-not_ports">
<td><code>notPorts</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of negative match of ports.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Operation-methods">
<td><code>methods</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of methods, which matches to the &ldquo;request.method&rdquo; attribute.
For gRPC service, this will always be &ldquo;POST&rdquo;.</p>
<p>If not set, any method is allowed. Must be used only with HTTP.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Operation-not_methods">
<td><code>notMethods</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of negative match of methods.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Operation-paths">
<td><code>paths</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of paths, which matches to the &ldquo;request.url_path&rdquo; attribute.
For gRPC service, this will be the fully-qualified name in the form of
&ldquo;/package.service/method&rdquo;.</p>
<p>If not set, any path is allowed. Must be used only with HTTP.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Operation-not_paths">
<td><code>notPaths</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of negative match of paths.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Condition">Condition</h2>
<section>
<p>Condition specifies additional required attributes.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Condition-key">
<td><code>key</code></td>
<td><code>string</code></td>
<td>
<p>The name of an Istio attribute.
See the <a href="https://istio.io/docs/reference/config/security/conditions/">full list of supported attributes</a>.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="Condition-values">
<td><code>values</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of allowed values for the attribute.
Note: at least one of values or not_values must be set.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Condition-not_values">
<td><code>notValues</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of negative match of values for the attribute.
Note: at least one of values or not_values must be set.</p>
</td>
<td>
No
@@ -403,109 +648,30 @@ No
</tbody>
</table>
</section>
<h2 id="Source">Source</h2>
<h2 id="AuthorizationPolicy-Action">AuthorizationPolicy.Action</h2>
<section>
<p>Source specifies the source identities of a request.</p>
<p>Action specifies the operation to take.</p>
<table class="message-fields">
<table class="enum-values">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Name</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Source-principals">
<td><code>principals</code></td>
<td><code>string[]</code></td>
<tr id="AuthorizationPolicy-Action-ALLOW">
<td><code>ALLOW</code></td>
<td>
<p>Optional. A list of source peer identities (i.e. service account), which
matches to the &ldquo;source.principal&rdquo; attribute.</p>
<p>Allow a request only if it matches the rules. This is the default type.</p>
<p>If not set, any principal is allowed.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Source-request_principals">
<td><code>requestPrincipals</code></td>
<td><code>string[]</code></td>
<tr id="AuthorizationPolicy-Action-DENY">
<td><code>DENY</code></td>
<td>
<p>Optional. A list of request identities (i.e. &ldquo;iss/sub&rdquo; claims), which
matches to the &ldquo;request.auth.principal&rdquo; attribute.</p>
<p>Deny a request if it matches any of the rules.</p>
<p>If not set, any request principal is allowed.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Source-namespaces">
<td><code>namespaces</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of namespaces, which matches to the &ldquo;source.namespace&rdquo;
attribute.</p>
<p>If not set, any namespace is allowed.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Source-ip_blocks">
<td><code>ipBlocks</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of IP blocks, which matches to the &ldquo;source.ip&rdquo; attribute.
Single IP (e.g. &ldquo;1.2.3.4&rdquo;) and CIDR (e.g. &ldquo;1.2.3.0/24&rdquo;) are supported.</p>
<p>If not set, any IP is allowed.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="istio-type-v1beta1-WorkloadSelector">istio.type.v1beta1.WorkloadSelector</h2>
<section>
<p>WorkloadSelector specifies the criteria used to determine if a policy can be applied
to a proxy. The matching criteria includes the metadata associated with a proxy,
workload instance info such as labels attached to the pod/VM, or any other info
that the proxy provides to Istio during the initial handshake. If multiple conditions are
specified, all conditions need to match in order for the workload instance to be
selected. Currently, only label based selection mechanism is supported.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="istio-type-v1beta1-WorkloadSelector-match_labels">
<td><code>matchLabels</code></td>
<td><code>map&lt;string,&nbsp;string&gt;</code></td>
<td>
<p>One or more labels that indicate a specific set of pods/VMs
on which a policy should be applied. The scope of label search is restricted to
the configuration namespace in which the resource is present.</p>
</td>
<td>
Yes
</td>
</tr>
</tbody>

162
vendor/istio.io/api/security/v1beta1/authorization.proto generated vendored
View File

@@ -16,26 +16,41 @@ syntax = "proto3";
import "google/api/field_behavior.proto";
import "type/v1beta1/selector.proto";
// $schema: istio.security.v1beta1.AuthorizationPolicy
// $title: Authorization Policy
// $description: Configuration for access control on workloads.
// $location: https://istio.io/docs/reference/config/security/authorization-policy.html
// $weight: 20
// $aliases: [/docs/reference/config/authorization/authorization-policy.html]
// $aliases: [/docs/reference/config/authorization/authorization-policy]
// Istio Authorization Policy enables access control on workloads in the mesh.
//
// For example, the following authorization policy applies to workloads matched with
// label selector "app: httpbin, version: v1".
// Authorization policy supports both allow and deny policies. When allow and
// deny policies are used for a workload at the same time, the deny policies are
// evaluated first. The evaluation is determined by the following rules:
//
// 1. If there are any DENY policies that match the request, deny the request.
// 2. If there are no ALLOW policies for the workload, allow the request.
// 3. If any of the ALLOW policies match the request, allow the request.
// 4. Deny the request.
//
// For example, the following authorization policy sets the `action` to "ALLOW"
// to create an allow policy. The default action is "ALLOW" but it is useful
// to be explicit in the policy.
//
// It allows requests from:
//
// - service account "cluster.local/ns/default/sa/sleep" or
// - namespace "test"
//
// to access the workload with:
//
// - "GET" method at paths of prefix "/info" or,
// - "POST" method at path "/data".
//
// when the request has a valid JWT token issued by "https://accounts.google.com".
//
// Any other requests will be rejected.
// Any other requests will be denied.
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
@@ -44,10 +59,7 @@ import "type/v1beta1/selector.proto";
// name: httpbin
// namespace: foo
// spec:
// selector:
// matchLabels:
// app: httpbin
// version: v1
// action: ALLOW
// rules:
// - from:
// - source:
@@ -66,16 +78,30 @@ import "type/v1beta1/selector.proto";
// values: ["https://accounts.google.com"]
// ```
//
// Access control is enabled on a workload if there is any authorization policies selecting
// the workload. When access control is enabled, the default behavior is deny (deny-by-default)
// which means requests to the workload will be rejected if the request is not allowed by any of
// the authorization policies selecting the workload.
// The following is another example that sets `action` to "DENY" to create a deny policy.
// It denies requests from the "dev" namespace to the "POST" method on all workloads
// in the "foo" namespace.
//
// Currently AuthorizationPolicy only supports "ALLOW" action. This means that
// if multiple authorization policies apply to the same workload, the effect is additive.
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: AuthorizationPolicy
// metadata:
// name: httpbin
// namespace: foo
// spec:
// action: DENY
// rules:
// - from:
// - source:
// namespaces: ["dev"]
// to:
// - operation:
// methods: ["POST"]
// ```
//
// Authorization Policy scope (target) is determined by "metadata/namespace" and
// an optional "selector".
//
// - "metadata/namespace" tells which namespace the policy applies. If set to root
// namespace, the policy applies to all namespaces in a mesh.
// - workload "selector" can be used to further restrict where a policy applies.
@@ -106,6 +132,7 @@ import "type/v1beta1/selector.proto";
// name: policy
// namespace: foo
// spec:
// {}
// ```
//
// The following authorization policy applies to workloads containing label
@@ -139,6 +166,7 @@ option go_package="istio.io/api/security/v1beta1";
// name: deny-all
// namespace: foo
// spec:
// {}
// ```
//
// The following authorization policy allows all requests to workloads in namespace
@@ -155,6 +183,18 @@ option go_package="istio.io/api/security/v1beta1";
// - {}
// ```
//
// <!-- crd generation tags
// +cue-gen:AuthorizationPolicy:groupName:security.istio.io
// +cue-gen:AuthorizationPolicy:version:v1beta1
// +cue-gen:AuthorizationPolicy:storageVersion
// +cue-gen:AuthorizationPolicy:annotations:helm.sh/resource-policy=keep
// +cue-gen:AuthorizationPolicy:labels:app=istio-pilot,chart=istio,istio=security,heritage=Tiller,release=istio
// +cue-gen:AuthorizationPolicy:subresource:status
// +cue-gen:AuthorizationPolicy:scope:Namespaced
// +cue-gen:AuthorizationPolicy:resource:categories=istio-io,security-istio-io,plural=authorizationpolicies
// +cue-gen:AuthorizationPolicy:preserveUnknownFields:false
// -->
//
// <!-- go code generation tags
// +kubetype-gen
// +kubetype-gen:groupVersion=security.istio.io/v1beta1
@@ -167,16 +207,32 @@ message AuthorizationPolicy {
// same namespace as the authorization policy.
istio.type.v1beta1.WorkloadSelector selector = 1;
// Optional. A list of rules to specify the allowed access to the workload.
// Optional. A list of rules to match the request. A match occurs when at least
// one rule matches the request.
//
// If not set, access is denied unless explicitly allowed by other authorization policy.
// If not set, the match will never occur. This is equivalent to setting a
// default of deny for the target workloads.
repeated Rule rules = 2;
// Action specifies the operation to take.
enum Action {
// Allow a request only if it matches the rules. This is the default type.
ALLOW = 0;
// Deny a request if it matches any of the rules.
DENY = 1;
}
// Optional. The action to take if the request is matched with the rules.
Action action = 3;
}
// Rule allows access from a list of sources to perform a list of operations when
// the condition is matched.
// Rule matches requests from a list of sources that perform a list of operations subject to a
// list of conditions. A match occurs when at least one source, operation and condition
// matches the request. An empty rule is always matched.
//
// Any string field in the rule supports Exact, Prefix, Suffix and Presence match:
//
// - Exact match: "abc" will match on value "abc".
// - Prefix match: "abc*" will match on value "abc" and "abcd".
// - Suffix match: "*abc" will match on value "abc" and "xabc".
@@ -210,64 +266,114 @@ message Rule {
repeated Condition when = 3;
}
// Source specifies the source identities of a request.
// Source specifies the source identities of a request. Fields in the source are
// ANDed together.
//
// For example, the following source matches if the principal is "admin" or "dev"
// and the namespace is "prod" or "test" and the ip is not "1.2.3.4".
//
// ```yaml
// principals: ["admin", "dev"]
// namespaces: ["prod", "test"]
// not_ipblocks: ["1.2.3.4"]
// ```
message Source {
// Optional. A list of source peer identities (i.e. service account), which
// matches to the "source.principal" attribute.
// matches to the "source.principal" attribute. This field requires mTLS enabled.
//
// If not set, any principal is allowed.
repeated string principals = 1;
// Optional. A list of negative match of source peer identities.
repeated string not_principals = 5;
// Optional. A list of request identities (i.e. "iss/sub" claims), which
// matches to the "request.auth.principal" attribute.
//
// If not set, any request principal is allowed.
repeated string request_principals = 2;
// Optional. A list of negative match of request identities.
repeated string not_request_principals = 6;
// Optional. A list of namespaces, which matches to the "source.namespace"
// attribute.
// attribute. This field requires mTLS enabled.
//
// If not set, any namespace is allowed.
repeated string namespaces = 3;
// Optional. A list of negative match of namespaces.
repeated string not_namespaces = 7;
// Optional. A list of IP blocks, which matches to the "source.ip" attribute.
// Single IP (e.g. "1.2.3.4") and CIDR (e.g. "1.2.3.0/24") are supported.
//
// If not set, any IP is allowed.
repeated string ip_blocks = 4;
// Optional. A list of negative match of IP blocks.
repeated string not_ip_blocks = 8;
}
// Operation specifies the operations of a request.
// Operation specifies the operations of a request. Fields in the operation are
// ANDed together.
//
// For example, the following operation matches if the host has suffix ".example.com"
// and the method is "GET" or "HEAD" and the path doesn't have prefix "/admin".
//
// ```yaml
// hosts: ["*.example.com"]
// methods: ["GET", "HEAD"]
// not_paths: ["/admin*"]
// ```
message Operation {
// Optional. A list of hosts, which matches to the "request.host" attribute.
//
// If not set, any host is allowed. Must be used only with HTTP.
repeated string hosts = 1;
// Optional. A list of negative match of hosts.
repeated string not_hosts = 5;
// Optional. A list of ports, which matches to the "destination.port" attribute.
//
// If not set, any port is allowed.
repeated string ports = 2;
// Optional. A list of negative match of ports.
repeated string not_ports = 6;
// Optional. A list of methods, which matches to the "request.method" attribute.
// For gRPC service, this should be the fully-qualified name in the form of
// "/package.service/method"
// For gRPC service, this will always be "POST".
//
// If not set, any method is allowed. Must be used only with HTTP or gRPC.
// If not set, any method is allowed. Must be used only with HTTP.
repeated string methods = 3;
// Optional. A list of negative match of methods.
repeated string not_methods = 7;
// Optional. A list of paths, which matches to the "request.url_path" attribute.
// For gRPC service, this will be the fully-qualified name in the form of
// "/package.service/method".
//
// If not set, any path is allowed. Must be used only with HTTP.
repeated string paths = 4;
// Optional. A list of negative match of paths.
repeated string not_paths = 8;
}
// Condition specifies additional required attributes.
message Condition {
// The name of an Istio attribute.
// See the [full list of supported attributes](https://istio.io/docs/reference/config/).
// See the [full list of supported attributes](https://istio.io/docs/reference/config/security/conditions/).
string key = 1 [(google.api.field_behavior) = REQUIRED];
// The allowed values for the attribute.
repeated string values = 2 [(google.api.field_behavior) = REQUIRED];
// Optional. A list of allowed values for the attribute.
// Note: at least one of values or not_values must be set.
repeated string values = 2;
// Optional. A list of negative match of values for the attribute.
// Note: at least one of values or not_values must be set.
repeated string not_values = 3;
}

52
vendor/istio.io/api/security/v1beta1/authorization_deepcopy.gen.go generated vendored
View File

@@ -3,18 +3,32 @@
// Istio Authorization Policy enables access control on workloads in the mesh.
//
// For example, the following authorization policy applies to workloads matched with
// label selector "app: httpbin, version: v1".
// Authorization policy supports both allow and deny policies. When allow and
// deny policies are used for a workload at the same time, the deny policies are
// evaluated first. The evaluation is determined by the following rules:
//
// 1. If there are any DENY policies that match the request, deny the request.
// 2. If there are no ALLOW policies for the workload, allow the request.
// 3. If any of the ALLOW policies match the request, allow the request.
// 4. Deny the request.
//
// For example, the following authorization policy sets the `action` to "ALLOW"
// to create an allow policy. The default action is "ALLOW" but it is useful
// to be explicit in the policy.
//
// It allows requests from:
//
// - service account "cluster.local/ns/default/sa/sleep" or
// - namespace "test"
//
// to access the workload with:
//
// - "GET" method at paths of prefix "/info" or,
// - "POST" method at path "/data".
//
// when the request has a valid JWT token issued by "https://accounts.google.com".
//
// Any other requests will be rejected.
// Any other requests will be denied.
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
@@ -23,10 +37,7 @@
// name: httpbin
// namespace: foo
// spec:
// selector:
// matchLabels:
// app: httpbin
// version: v1
// action: ALLOW
// rules:
// - from:
// - source:
@@ -45,16 +56,30 @@
// values: ["https://accounts.google.com"]
// ```
//
// Access control is enabled on a workload if there is any authorization policies selecting
// the workload. When access control is enabled, the default behavior is deny (deny-by-default)
// which means requests to the workload will be rejected if the request is not allowed by any of
// the authorization policies selecting the workload.
// The following is another example that sets `action` to "DENY" to create a deny policy.
// It denies requests from the "dev" namespace to the "POST" method on all workloads
// in the "foo" namespace.
//
// Currently AuthorizationPolicy only supports "ALLOW" action. This means that
// if multiple authorization policies apply to the same workload, the effect is additive.
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: AuthorizationPolicy
// metadata:
// name: httpbin
// namespace: foo
// spec:
// action: DENY
// rules:
// - from:
// - source:
// namespaces: ["dev"]
// to:
// - operation:
// methods: ["POST"]
// ```
//
// Authorization Policy scope (target) is determined by "metadata/namespace" and
// an optional "selector".
//
// - "metadata/namespace" tells which namespace the policy applies. If set to root
// namespace, the policy applies to all namespaces in a mesh.
// - workload "selector" can be used to further restrict where a policy applies.
@@ -85,6 +110,7 @@
// name: policy
// namespace: foo
// spec:
// {}
// ```
//
// The following authorization policy applies to workloads containing label

52
vendor/istio.io/api/security/v1beta1/authorization_json.gen.go generated vendored
View File

@@ -3,18 +3,32 @@
// Istio Authorization Policy enables access control on workloads in the mesh.
//
// For example, the following authorization policy applies to workloads matched with
// label selector "app: httpbin, version: v1".
// Authorization policy supports both allow and deny policies. When allow and
// deny policies are used for a workload at the same time, the deny policies are
// evaluated first. The evaluation is determined by the following rules:
//
// 1. If there are any DENY policies that match the request, deny the request.
// 2. If there are no ALLOW policies for the workload, allow the request.
// 3. If any of the ALLOW policies match the request, allow the request.
// 4. Deny the request.
//
// For example, the following authorization policy sets the `action` to "ALLOW"
// to create an allow policy. The default action is "ALLOW" but it is useful
// to be explicit in the policy.
//
// It allows requests from:
//
// - service account "cluster.local/ns/default/sa/sleep" or
// - namespace "test"
//
// to access the workload with:
//
// - "GET" method at paths of prefix "/info" or,
// - "POST" method at path "/data".
//
// when the request has a valid JWT token issued by "https://accounts.google.com".
//
// Any other requests will be rejected.
// Any other requests will be denied.
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
@@ -23,10 +37,7 @@
// name: httpbin
// namespace: foo
// spec:
// selector:
// matchLabels:
// app: httpbin
// version: v1
// action: ALLOW
// rules:
// - from:
// - source:
@@ -45,16 +56,30 @@
// values: ["https://accounts.google.com"]
// ```
//
// Access control is enabled on a workload if there is any authorization policies selecting
// the workload. When access control is enabled, the default behavior is deny (deny-by-default)
// which means requests to the workload will be rejected if the request is not allowed by any of
// the authorization policies selecting the workload.
// The following is another example that sets `action` to "DENY" to create a deny policy.
// It denies requests from the "dev" namespace to the "POST" method on all workloads
// in the "foo" namespace.
//
// Currently AuthorizationPolicy only supports "ALLOW" action. This means that
// if multiple authorization policies apply to the same workload, the effect is additive.
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: AuthorizationPolicy
// metadata:
// name: httpbin
// namespace: foo
// spec:
// action: DENY
// rules:
// - from:
// - source:
// namespaces: ["dev"]
// to:
// - operation:
// methods: ["POST"]
// ```
//
// Authorization Policy scope (target) is determined by "metadata/namespace" and
// an optional "selector".
//
// - "metadata/namespace" tells which namespace the policy applies. If set to root
// namespace, the policy applies to all namespaces in a mesh.
// - workload "selector" can be used to further restrict where a policy applies.
@@ -85,6 +110,7 @@
// name: policy
// namespace: foo
// spec:
// {}
// ```
//
// The following authorization policy applies to workloads containing label

80
vendor/istio.io/api/security/v1beta1/jwt.gen.json generated vendored Normal file
View File

@@ -0,0 +1,80 @@
{
"openapi": "3.0.0",
"info": {
"title": "Configuration to validate JWT.",
"version": "v1beta1"
},
"components": {
"schemas": {
"istio.security.v1beta1.JWTRule": {
"description": "JSON Web Token (JWT) token format for authentication as defined by [RFC 7519](https://tools.ietf.org/html/rfc7519). See [OAuth 2.0](https://tools.ietf.org/html/rfc6749) and [OIDC 1.0](http://openid.net/connect) for how this is used in the whole authentication flow.",
"type": "object",
"properties": {
"issuer": {
"description": "Identifies the issuer that issued the JWT. See [issuer](https://tools.ietf.org/html/rfc7519#section-4.1.1) A JWT with different `iss` claim will be rejected.",
"type": "string",
"format": "string"
},
"audiences": {
"description": "The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3). that are allowed to access. A JWT containing any of these audiences will be accepted.",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
},
"jwksUri": {
"description": "URL of the provider's public key set to validate signature of the JWT. See [OpenID Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).",
"type": "string",
"format": "string"
},
"jwks": {
"description": "JSON Web Key Set of public keys to validate signature of the JWT. See https://auth0.com/docs/jwks.",
"type": "string",
"format": "string"
},
"fromHeaders": {
"description": "List of header locations from which JWT is expected. For example, below is the location spec if JWT is expected to be found in `x-jwt-assertion` header, and have \"Bearer \" prefix: ``` fromHeaders: - name: x-jwt-assertion prefix: \"Bearer \" ```",
"type": "array",
"items": {
"$ref": "#/components/schemas/istio.security.v1beta1.JWTHeader"
}
},
"fromParams": {
"description": "List of query parameters from which JWT is expected. For example, if JWT is provided via query parameter `my_token` (e.g /path?my_token=\u003cJWT\u003e), the config is: ``` fromParams: - \"my_token\" ```",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
},
"outputPayloadToHeader": {
"description": "This field specifies the header name to output a successfully verified JWT payload to the backend. The forwarded data is `base64_encoded(jwt_payload_in_JSON)`. If it is not specified, the payload will not be emitted.",
"type": "string",
"format": "string"
},
"forwardOriginalToken": {
"description": "If set to true, the orginal token will be kept for the ustream request. Default is false.",
"type": "boolean"
}
}
},
"istio.security.v1beta1.JWTHeader": {
"description": "This message specifies a header location to extract JWT token.",
"type": "object",
"properties": {
"name": {
"description": "The HTTP header name.",
"type": "string",
"format": "string"
},
"prefix": {
"description": "The prefix that should be stripped before decoding the token. For example, for \"Authorization: Bearer \u003ctoken\u003e\", prefix=\"Bearer \" with a space at the end. If the header doesn't have this exact prefix, it is considerred invalid.",
"type": "string",
"format": "string"
}
}
}
}
}
}

1056
vendor/istio.io/api/security/v1beta1/jwt.pb.go generated vendored Normal file
View File

File diff suppressed because it is too large Load Diff

225
vendor/istio.io/api/security/v1beta1/jwt.pb.html generated vendored Normal file
View File

@@ -0,0 +1,225 @@
---
title: JWTRule
description: Configuration to validate JWT.
location: https://istio.io/docs/reference/config/security/jwt.html
layout: protoc-gen-docs
generator: protoc-gen-docs
schema: istio.security.v1beta1.JWTRule
aliases: [/docs/reference/config/security/v1beta1/jwt]
number_of_entries: 2
---
<h2 id="JWTRule">JWTRule</h2>
<section>
<p>JSON Web Token (JWT) token format for authentication as defined by
<a href="https://tools.ietf.org/html/rfc7519">RFC 7519</a>. See <a href="https://tools.ietf.org/html/rfc6749">OAuth 2.0</a> and
<a href="http://openid.net/connect">OIDC 1.0</a> for how this is used in the whole
authentication flow.</p>
<p>Examples:</p>
<p>Spec for a JWT that is issued by <code>https://example.com</code>, with the audience claims must be either
<code>bookstore_android.apps.example.com</code> or <code>bookstore_web.apps.example.com</code>.
The token should be presented at the <code>Authorization</code> header (default). The Json web key set (JWKS)
will be discovered followwing OpenID Connect protocol.</p>
<pre><code class="language-yaml">issuer: https://example.com
audiences:
- bookstore_android.apps.example.com
bookstore_web.apps.example.com
</code></pre>
<p>This example specifies token in non-default location (<code>x-goog-iap-jwt-assertion</code> header). It also
defines the URI to fetch JWKS explicitly.</p>
<pre><code class="language-yaml">issuer: https://example.com
jwksUri: https://example.com/.secret/jwks.json
jwtHeaders:
- &quot;x-goog-iap-jwt-assertion&quot;
</code></pre>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="JWTRule-issuer">
<td><code>issuer</code></td>
<td><code>string</code></td>
<td>
<p>Identifies the issuer that issued the JWT. See
<a href="https://tools.ietf.org/html/rfc7519#section-4.1.1">issuer</a>
A JWT with different <code>iss</code> claim will be rejected.</p>
<p>Example: https://foobar.auth0.com
Example: 1234567-compute@developer.gserviceaccount.com</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="JWTRule-audiences">
<td><code>audiences</code></td>
<td><code>string[]</code></td>
<td>
<p>The list of JWT
<a href="https://tools.ietf.org/html/rfc7519#section-4.1.3">audiences</a>.
that are allowed to access. A JWT containing any of these
audiences will be accepted.</p>
<p>The service name will be accepted if audiences is empty.</p>
<p>Example:</p>
<pre><code class="language-yaml">audiences:
- bookstore_android.apps.example.com
bookstore_web.apps.example.com
</code></pre>
</td>
<td>
No
</td>
</tr>
<tr id="JWTRule-jwks_uri">
<td><code>jwksUri</code></td>
<td><code>string</code></td>
<td>
<p>URL of the provider&rsquo;s public key set to validate signature of the
JWT. See <a href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata">OpenID Discovery</a>.</p>
<p>Optional if the key set document can either (a) be retrieved from
<a href="https://openid.net/specs/openid-connect-discovery-1_0.html">OpenID
Discovery</a> of
the issuer or (b) inferred from the email domain of the issuer (e.g. a
Google service account).</p>
<p>Example: <code>https://www.googleapis.com/oauth2/v1/certs</code></p>
<p>Note: Only one of jwks<em>uri and jwks should be used. jwks</em>uri will be ignored if it does.</p>
</td>
<td>
No
</td>
</tr>
<tr id="JWTRule-jwks">
<td><code>jwks</code></td>
<td><code>string</code></td>
<td>
<p>JSON Web Key Set of public keys to validate signature of the JWT.
See https://auth0.com/docs/jwks.</p>
<p>Note: Only one of jwks<em>uri and jwks should be used. jwks</em>uri will be ignored if it does.</p>
</td>
<td>
No
</td>
</tr>
<tr id="JWTRule-from_headers">
<td><code>fromHeaders</code></td>
<td><code><a href="#JWTHeader">JWTHeader[]</a></code></td>
<td>
<p>List of header locations from which JWT is expected. For example, below is the location spec
if JWT is expected to be found in <code>x-jwt-assertion</code> header, and have &ldquo;Bearer &rdquo; prefix:</p>
<pre><code> fromHeaders:
- name: x-jwt-assertion
prefix: &quot;Bearer &quot;
</code></pre>
</td>
<td>
No
</td>
</tr>
<tr id="JWTRule-from_params">
<td><code>fromParams</code></td>
<td><code>string[]</code></td>
<td>
<p>List of query parameters from which JWT is expected. For example, if JWT is provided via query
parameter <code>my_token</code> (e.g /path?my_token=<JWT>), the config is:</p>
<pre><code> fromParams:
- &quot;my_token&quot;
</code></pre>
</td>
<td>
No
</td>
</tr>
<tr id="JWTRule-output_payload_to_header">
<td><code>outputPayloadToHeader</code></td>
<td><code>string</code></td>
<td>
<p>This field specifies the header name to output a successfully verified JWT payload to the
backend. The forwarded data is <code>base64_encoded(jwt_payload_in_JSON)</code>. If it is not specified,
the payload will not be emitted.</p>
</td>
<td>
No
</td>
</tr>
<tr id="JWTRule-forward_original_token">
<td><code>forwardOriginalToken</code></td>
<td><code>bool</code></td>
<td>
<p>If set to true, the orginal token will be kept for the ustream request. Default is false.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="JWTHeader">JWTHeader</h2>
<section>
<p>This message specifies a header location to extract JWT token.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="JWTHeader-name">
<td><code>name</code></td>
<td><code>string</code></td>
<td>
<p>The HTTP header name.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="JWTHeader-prefix">
<td><code>prefix</code></td>
<td><code>string</code></td>
<td>
<p>The prefix that should be stripped before decoding the token.
For example, for &ldquo;Authorization: Bearer <token>&rdquo;, prefix=&ldquo;Bearer &rdquo; with a space at the end.
If the header doesn&rsquo;t have this exact prefix, it is considerred invalid.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>

149
vendor/istio.io/api/security/v1beta1/jwt.proto generated vendored Normal file
View File

@@ -0,0 +1,149 @@
// Copyright 2019 Istio Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = "proto3";
import "google/api/field_behavior.proto";
// $schema: istio.security.v1beta1.JWTRule
// $title: JWTRule
// $description: Configuration to validate JWT.
// $location: https://istio.io/docs/reference/config/security/jwt.html
// $aliases: [/docs/reference/config/security/v1beta1/jwt]
package istio.security.v1beta1;
option go_package="istio.io/api/security/v1beta1";
// JSON Web Token (JWT) token format for authentication as defined by
// [RFC 7519](https://tools.ietf.org/html/rfc7519). See [OAuth 2.0](https://tools.ietf.org/html/rfc6749) and
// [OIDC 1.0](http://openid.net/connect) for how this is used in the whole
// authentication flow.
//
// Examples:
//
// Spec for a JWT that is issued by `https://example.com`, with the audience claims must be either
// `bookstore_android.apps.example.com` or `bookstore_web.apps.example.com`.
// The token should be presented at the `Authorization` header (default). The Json web key set (JWKS)
// will be discovered followwing OpenID Connect protocol.
//
// ```yaml
// issuer: https://example.com
// audiences:
// - bookstore_android.apps.example.com
// bookstore_web.apps.example.com
// ```
//
// This example specifies token in non-default location (`x-goog-iap-jwt-assertion` header). It also
// defines the URI to fetch JWKS explicitly.
//
// ```yaml
// issuer: https://example.com
// jwksUri: https://example.com/.secret/jwks.json
// jwtHeaders:
// - "x-goog-iap-jwt-assertion"
// ```
message JWTRule {
// Identifies the issuer that issued the JWT. See
// [issuer](https://tools.ietf.org/html/rfc7519#section-4.1.1)
// A JWT with different `iss` claim will be rejected.
//
// Example: https://foobar.auth0.com
// Example: 1234567-compute@developer.gserviceaccount.com
string issuer = 1 [(google.api.field_behavior) = REQUIRED];
// The list of JWT
// [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3).
// that are allowed to access. A JWT containing any of these
// audiences will be accepted.
//
// The service name will be accepted if audiences is empty.
//
// Example:
//
// ```yaml
// audiences:
// - bookstore_android.apps.example.com
// bookstore_web.apps.example.com
// ```
repeated string audiences = 2;
// URL of the provider's public key set to validate signature of the
// JWT. See [OpenID Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
//
// Optional if the key set document can either (a) be retrieved from
// [OpenID
// Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html) of
// the issuer or (b) inferred from the email domain of the issuer (e.g. a
// Google service account).
//
// Example: `https://www.googleapis.com/oauth2/v1/certs`
//
// Note: Only one of jwks_uri and jwks should be used. jwks_uri will be ignored if it does.
string jwks_uri = 3;
// JSON Web Key Set of public keys to validate signature of the JWT.
// See https://auth0.com/docs/jwks.
//
// Note: Only one of jwks_uri and jwks should be used. jwks_uri will be ignored if it does.
string jwks = 10;
// The next two fields define how to extract the JWT from an HTTP request.
//
// If no explicit location is specified the following default
// locations are tried in order:
//
// 1) The Authorization header using the Bearer schema,
// e.g. Authorization: Bearer <token>. (see
// [Authorization Request Header
// Field](https://tools.ietf.org/html/rfc6750#section-2.1))
//
// 2) The `access_token` query parameter (see
// [URI Query Parameter](https://tools.ietf.org/html/rfc6750#section-2.3))
// List of header locations from which JWT is expected. For example, below is the location spec
// if JWT is expected to be found in `x-jwt-assertion` header, and have "Bearer " prefix:
// ```
// fromHeaders:
// - name: x-jwt-assertion
// prefix: "Bearer "
// ```
repeated JWTHeader from_headers = 6;
// List of query parameters from which JWT is expected. For example, if JWT is provided via query
// parameter `my_token` (e.g /path?my_token=<JWT>), the config is:
// ```
// fromParams:
// - "my_token"
// ```
repeated string from_params = 7;
// This field specifies the header name to output a successfully verified JWT payload to the
// backend. The forwarded data is `base64_encoded(jwt_payload_in_JSON)`. If it is not specified,
// the payload will not be emitted.
string output_payload_to_header = 8;
// If set to true, the orginal token will be kept for the ustream request. Default is false.
bool forward_original_token = 9;
}
// This message specifies a header location to extract JWT token.
message JWTHeader {
// The HTTP header name.
string name = 1 [(google.api.field_behavior) = REQUIRED];
// The prefix that should be stripped before decoding the token.
// For example, for "Authorization: Bearer <token>", prefix="Bearer " with a space at the end.
// If the header doesn't have this exact prefix, it is considerred invalid.
string prefix = 2;
}

45
vendor/istio.io/api/security/v1beta1/jwt_json.gen.go generated vendored Normal file
View File

@@ -0,0 +1,45 @@
// Code generated by protoc-gen-gogo. DO NOT EDIT.
// source: security/v1beta1/jwt.proto
package v1beta1
import (
bytes "bytes"
fmt "fmt"
github_com_gogo_protobuf_jsonpb "github.com/gogo/protobuf/jsonpb"
proto "github.com/gogo/protobuf/proto"
_ "istio.io/gogo-genproto/googleapis/google/api"
math "math"
)
// Reference imports to suppress errors if they are not otherwise used.
var _ = proto.Marshal
var _ = fmt.Errorf
var _ = math.Inf
// MarshalJSON is a custom marshaler for JWTRule
func (this *JWTRule) MarshalJSON() ([]byte, error) {
str, err := JwtMarshaler.MarshalToString(this)
return []byte(str), err
}
// UnmarshalJSON is a custom unmarshaler for JWTRule
func (this *JWTRule) UnmarshalJSON(b []byte) error {
return JwtUnmarshaler.Unmarshal(bytes.NewReader(b), this)
}
// MarshalJSON is a custom marshaler for JWTHeader
func (this *JWTHeader) MarshalJSON() ([]byte, error) {
str, err := JwtMarshaler.MarshalToString(this)
return []byte(str), err
}
// UnmarshalJSON is a custom unmarshaler for JWTHeader
func (this *JWTHeader) UnmarshalJSON(b []byte) error {
return JwtUnmarshaler.Unmarshal(bytes.NewReader(b), this)
}
var (
JwtMarshaler = &github_com_gogo_protobuf_jsonpb.Marshaler{}
JwtUnmarshaler = &github_com_gogo_protobuf_jsonpb.Unmarshaler{}
)

62
vendor/istio.io/api/security/v1beta1/peer_authentication.gen.json generated vendored Normal file
View File

@@ -0,0 +1,62 @@
{
"openapi": "3.0.0",
"info": {
"title": "Peer authentication configuration for workloads.",
"version": "v1beta1"
},
"components": {
"schemas": {
"istio.security.v1beta1.PeerAuthentication": {
"description": "PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar.",
"type": "object",
"properties": {
"selector": {
"$ref": "#/components/schemas/istio.type.v1beta1.WorkloadSelector"
},
"mtls": {
"$ref": "#/components/schemas/istio.security.v1beta1.PeerAuthentication.MutualTLS"
},
"portLevelMtls": {
"description": "Port specific mutual TLS settings.",
"type": "object",
"additionalProperties": {
"$ref": "#/components/schemas/istio.security.v1beta1.PeerAuthentication.MutualTLS"
}
}
}
},
"istio.security.v1beta1.PeerAuthentication.MutualTLS": {
"description": "Mutual TLS settings.",
"type": "object",
"properties": {
"mode": {
"$ref": "#/components/schemas/istio.security.v1beta1.PeerAuthentication.MutualTLS.Mode"
}
}
},
"istio.security.v1beta1.PeerAuthentication.MutualTLS.Mode": {
"type": "string",
"enum": [
"UNSET",
"DISABLE",
"PERMISSIVE",
"STRICT"
]
},
"istio.type.v1beta1.WorkloadSelector": {
"description": "The selector determines the workloads to apply the RequestAuthentication on. If not set, the policy will be applied to all workloads in the same namespace as the policy.",
"type": "object",
"properties": {
"matchLabels": {
"description": "One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. The scope of label search is restricted to the configuration namespace in which the resource is present.",
"type": "object",
"additionalProperties": {
"type": "string",
"format": "string"
}
}
}
}
}
}
}

907
vendor/istio.io/api/security/v1beta1/peer_authentication.pb.go generated vendored Normal file
View File

@@ -0,0 +1,907 @@
// Code generated by protoc-gen-gogo. DO NOT EDIT.
// source: security/v1beta1/peer_authentication.proto
package v1beta1
import (
fmt "fmt"
proto "github.com/gogo/protobuf/proto"
io "io"
v1beta1 "istio.io/api/type/v1beta1"
math "math"
math_bits "math/bits"
)
// Reference imports to suppress errors if they are not otherwise used.
var _ = proto.Marshal
var _ = fmt.Errorf
var _ = math.Inf
// This is a compile-time assertion to ensure that this generated file
// is compatible with the proto package it is being compiled against.
// A compilation error at this line likely means your copy of the
// proto package needs to be updated.
const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
type PeerAuthentication_MutualTLS_Mode int32
const (
// Inherit from parent, if has one. Otherwise treated as PERMISSIVE.
PeerAuthentication_MutualTLS_UNSET PeerAuthentication_MutualTLS_Mode = 0
// Connection is not tunneled.
PeerAuthentication_MutualTLS_DISABLE PeerAuthentication_MutualTLS_Mode = 1
// Connection can be either plaintext or mTLS tunnel.
PeerAuthentication_MutualTLS_PERMISSIVE PeerAuthentication_MutualTLS_Mode = 2
// Connection is an mTLS tunnel (TLS with client cert must be presented).
PeerAuthentication_MutualTLS_STRICT PeerAuthentication_MutualTLS_Mode = 3
)
var PeerAuthentication_MutualTLS_Mode_name = map[int32]string{
0: "UNSET",
1: "DISABLE",
2: "PERMISSIVE",
3: "STRICT",
}
var PeerAuthentication_MutualTLS_Mode_value = map[string]int32{
"UNSET": 0,
"DISABLE": 1,
"PERMISSIVE": 2,
"STRICT": 3,
}
func (x PeerAuthentication_MutualTLS_Mode) String() string {
return proto.EnumName(PeerAuthentication_MutualTLS_Mode_name, int32(x))
}
func (PeerAuthentication_MutualTLS_Mode) EnumDescriptor() ([]byte, []int) {
return fileDescriptor_59c7062c50455f33, []int{0, 0, 0}
}
// PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar.
//
// Examples:
//
// Policy to allow mTLS traffic for all workloads under namespace `foo`:
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: PeerAuthentication
// metadata:
// name: default
// namespace: foo
// spec:
// mtls:
// mode: STRICT
// ```
// For mesh level, put the policy in root-namespace according to your Istio installation.
//
// Policies to allow both mTLS & plaintext traffic for all workloads under namespace `foo`, but
// require mTLS for workload `finance`.
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: PeerAuthentication
// metadata:
// name: default
// namespace: foo
// spec:
// mtls:
// mode: PERMISSIVE
// ---
// apiVersion: security.istio.io/v1beta1
// kind: PeerAuthentication
// metadata:
// name: default
// namespace: foo
// spec:
// selector:
// matchLabels:
// app: finance
// mtls:
// mode: STRICT
// ```
// Policy to allow mTLS strict for all workloads, but leave port 8080 to
// plaintext:
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: PeerAuthentication
// metadata:
// name: default
// namespace: foo
// spec:
// selector:
// matchLabels:
// app: finance
// mtls:
// mode: STRICT
// portLevelMtls:
// 8080:
// mode: DISABLE
// ```
// Policy to inherite mTLS mode from namespace (or mesh) settings, and overwrite
// settings for port 8080
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: PeerAuthentication
// metadata:
// name: default
// namespace: foo
// spec:
// selector:
// matchLabels:
// app: finance
// mtls:
// mode: UNSET
// portLevelMtls:
// 8080:
// mode: DISABLE
// ```
//
// <!-- crd generation tags
// +cue-gen:PeerAuthentication:groupName:security.istio.io
// +cue-gen:PeerAuthentication:version:v1beta1
// +cue-gen:PeerAuthentication:storageVersion
// +cue-gen:PeerAuthentication:annotations:helm.sh/resource-policy=keep
// +cue-gen:PeerAuthentication:labels:app=istio-pilot,chart=istio,istio=security,heritage=Tiller,release=istio
// +cue-gen:PeerAuthentication:subresource:status
// +cue-gen:PeerAuthentication:scope:Namespaced
// +cue-gen:PeerAuthentication:resource:categories=istio-io,security-istio-io,shortNames=pa
// +cue-gen:PeerAuthentication:preserveUnknownFields:false
// -->
//
// <!-- go code generation tags
// +kubetype-gen
// +kubetype-gen:groupVersion=security.istio.io/v1beta1
// +genclient
// +k8s:deepcopy-gen=true
// -->
type PeerAuthentication struct {
// The selector determines the workloads to apply the ChannelAuthentication on.
// If not set, the policy will be applied to all workloads in the same namespace as the policy.
Selector *v1beta1.WorkloadSelector `protobuf:"bytes,1,opt,name=selector,proto3" json:"selector,omitempty"`
// Mutual TLS settings for workload. If not defined, inherit from parent.
Mtls *PeerAuthentication_MutualTLS `protobuf:"bytes,2,opt,name=mtls,proto3" json:"mtls,omitempty"`
// Port specific mutual TLS settings.
PortLevelMtls map[uint32]*PeerAuthentication_MutualTLS `protobuf:"bytes,3,rep,name=port_level_mtls,json=portLevelMtls,proto3" json:"port_level_mtls,omitempty" protobuf_key:"varint,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
XXX_NoUnkeyedLiteral struct{} `json:"-"`
XXX_unrecognized []byte `json:"-"`
XXX_sizecache int32 `json:"-"`
}
func (m *PeerAuthentication) Reset() { *m = PeerAuthentication{} }
func (m *PeerAuthentication) String() string { return proto.CompactTextString(m) }
func (*PeerAuthentication) ProtoMessage() {}
func (*PeerAuthentication) Descriptor() ([]byte, []int) {
return fileDescriptor_59c7062c50455f33, []int{0}
}
func (m *PeerAuthentication) XXX_Unmarshal(b []byte) error {
return m.Unmarshal(b)
}
func (m *PeerAuthentication) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
if deterministic {
return xxx_messageInfo_PeerAuthentication.Marshal(b, m, deterministic)
} else {
b = b[:cap(b)]
n, err := m.MarshalToSizedBuffer(b)
if err != nil {
return nil, err
}
return b[:n], nil
}
}
func (m *PeerAuthentication) XXX_Merge(src proto.Message) {
xxx_messageInfo_PeerAuthentication.Merge(m, src)
}
func (m *PeerAuthentication) XXX_Size() int {
return m.Size()
}
func (m *PeerAuthentication) XXX_DiscardUnknown() {
xxx_messageInfo_PeerAuthentication.DiscardUnknown(m)
}
var xxx_messageInfo_PeerAuthentication proto.InternalMessageInfo
func (m *PeerAuthentication) GetSelector() *v1beta1.WorkloadSelector {
if m != nil {
return m.Selector
}
return nil
}
func (m *PeerAuthentication) GetMtls() *PeerAuthentication_MutualTLS {
if m != nil {
return m.Mtls
}
return nil
}
func (m *PeerAuthentication) GetPortLevelMtls() map[uint32]*PeerAuthentication_MutualTLS {
if m != nil {
return m.PortLevelMtls
}
return nil
}
// Mutual TLS settings.
type PeerAuthentication_MutualTLS struct {
// Defines the mTLS mode used for peer authentication.
Mode PeerAuthentication_MutualTLS_Mode `protobuf:"varint,1,opt,name=mode,proto3,enum=istio.security.v1beta1.PeerAuthentication_MutualTLS_Mode" json:"mode,omitempty"`
XXX_NoUnkeyedLiteral struct{} `json:"-"`
XXX_unrecognized []byte `json:"-"`
XXX_sizecache int32 `json:"-"`
}
func (m *PeerAuthentication_MutualTLS) Reset() { *m = PeerAuthentication_MutualTLS{} }
func (m *PeerAuthentication_MutualTLS) String() string { return proto.CompactTextString(m) }
func (*PeerAuthentication_MutualTLS) ProtoMessage() {}
func (*PeerAuthentication_MutualTLS) Descriptor() ([]byte, []int) {
return fileDescriptor_59c7062c50455f33, []int{0, 0}
}
func (m *PeerAuthentication_MutualTLS) XXX_Unmarshal(b []byte) error {
return m.Unmarshal(b)
}
func (m *PeerAuthentication_MutualTLS) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
if deterministic {
return xxx_messageInfo_PeerAuthentication_MutualTLS.Marshal(b, m, deterministic)
} else {
b = b[:cap(b)]
n, err := m.MarshalToSizedBuffer(b)
if err != nil {
return nil, err
}
return b[:n], nil
}
}
func (m *PeerAuthentication_MutualTLS) XXX_Merge(src proto.Message) {
xxx_messageInfo_PeerAuthentication_MutualTLS.Merge(m, src)
}
func (m *PeerAuthentication_MutualTLS) XXX_Size() int {
return m.Size()
}
func (m *PeerAuthentication_MutualTLS) XXX_DiscardUnknown() {
xxx_messageInfo_PeerAuthentication_MutualTLS.DiscardUnknown(m)
}
var xxx_messageInfo_PeerAuthentication_MutualTLS proto.InternalMessageInfo
func (m *PeerAuthentication_MutualTLS) GetMode() PeerAuthentication_MutualTLS_Mode {
if m != nil {
return m.Mode
}
return PeerAuthentication_MutualTLS_UNSET
}
func init() {
proto.RegisterEnum("istio.security.v1beta1.PeerAuthentication_MutualTLS_Mode", PeerAuthentication_MutualTLS_Mode_name, PeerAuthentication_MutualTLS_Mode_value)
proto.RegisterType((*PeerAuthentication)(nil), "istio.security.v1beta1.PeerAuthentication")
proto.RegisterMapType((map[uint32]*PeerAuthentication_MutualTLS)(nil), "istio.security.v1beta1.PeerAuthentication.PortLevelMtlsEntry")
proto.RegisterType((*PeerAuthentication_MutualTLS)(nil), "istio.security.v1beta1.PeerAuthentication.MutualTLS")
}
func init() {
proto.RegisterFile("security/v1beta1/peer_authentication.proto", fileDescriptor_59c7062c50455f33)
}
var fileDescriptor_59c7062c50455f33 = []byte{
// 380 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x92, 0x41, 0x8b, 0xda, 0x40,
0x14, 0xc7, 0x3b, 0x26, 0xda, 0xfa, 0x44, 0x1b, 0xe6, 0x50, 0xc4, 0x52, 0x11, 0xe9, 0x41, 0x5a,
0x98, 0xa0, 0xed, 0xa1, 0x15, 0x0a, 0xd5, 0x36, 0xd0, 0x14, 0x53, 0x24, 0x49, 0x5b, 0xe8, 0x45,
0xa2, 0x3e, 0x68, 0x70, 0x74, 0xc2, 0x64, 0x12, 0xc8, 0x17, 0x29, 0xfd, 0x48, 0x3d, 0xf6, 0x23,
0x2c, 0x7e, 0x92, 0x25, 0x89, 0xca, 0xee, 0xba, 0x97, 0xdd, 0xbd, 0xcd, 0x0c, 0xef, 0xf7, 0x7b,
0xff, 0x79, 0x3c, 0x78, 0x15, 0xe3, 0x2a, 0x91, 0xa1, 0xca, 0xcc, 0x74, 0xb8, 0x44, 0x15, 0x0c,
0xcd, 0x08, 0x51, 0x2e, 0x82, 0x44, 0xfd, 0xc6, 0x9d, 0x0a, 0x57, 0x81, 0x0a, 0xc5, 0x8e, 0x45,
0x52, 0x28, 0x41, 0x9f, 0x85, 0xb1, 0x0a, 0x05, 0x3b, 0x12, 0xec, 0x40, 0x74, 0x9e, 0xab, 0x2c,
0xc2, 0x13, 0x1f, 0x23, 0xc7, 0x95, 0x12, 0xb2, 0x84, 0xfa, 0x7f, 0x75, 0xa0, 0x73, 0x44, 0x39,
0xb9, 0x66, 0xa4, 0x1f, 0xe1, 0xc9, 0xb1, 0xb0, 0x4d, 0x7a, 0x64, 0xd0, 0x18, 0xbd, 0x64, 0xa5,
0x3e, 0x97, 0x1d, 0xd5, 0xec, 0xa7, 0x90, 0x1b, 0x2e, 0x82, 0xb5, 0x77, 0xa8, 0x75, 0x4f, 0x14,
0xfd, 0x02, 0xfa, 0x56, 0xf1, 0xb8, 0x5d, 0x29, 0xe8, 0xb7, 0xec, 0xf6, 0x70, 0xec, 0xbc, 0x37,
0x73, 0x12, 0x95, 0x04, 0xdc, 0x9f, 0x79, 0x6e, 0x61, 0xa0, 0x08, 0x4f, 0x23, 0x21, 0xd5, 0x82,
0x63, 0x8a, 0x7c, 0x51, 0x48, 0xb5, 0x9e, 0x36, 0x68, 0x8c, 0x3e, 0xdc, 0x41, 0x3a, 0x17, 0x52,
0xcd, 0x72, 0x81, 0xa3, 0x78, 0x6c, 0xed, 0x94, 0xcc, 0xdc, 0x66, 0x74, 0xf5, 0xad, 0xf3, 0x87,
0x40, 0xfd, 0xd4, 0x9a, 0x3a, 0xa0, 0x6f, 0xc5, 0x1a, 0x8b, 0xcf, 0xb7, 0x46, 0xef, 0xef, 0x13,
0x9f, 0x39, 0x62, 0x8d, 0x6e, 0xa1, 0xe9, 0x8f, 0x41, 0xcf, 0x6f, 0xb4, 0x0e, 0xd5, 0xef, 0xdf,
0x3c, 0xcb, 0x37, 0x1e, 0xd1, 0x06, 0x3c, 0xfe, 0x6c, 0x7b, 0x93, 0xe9, 0xcc, 0x32, 0x08, 0x6d,
0x01, 0xcc, 0x2d, 0xd7, 0xb1, 0x3d, 0xcf, 0xfe, 0x61, 0x19, 0x15, 0x0a, 0x50, 0xf3, 0x7c, 0xd7,
0xfe, 0xe4, 0x1b, 0x5a, 0x27, 0x05, 0x7a, 0x9e, 0x9e, 0x1a, 0xa0, 0x6d, 0x30, 0x2b, 0xf2, 0x35,
0xdd, 0xfc, 0x48, 0xbf, 0x42, 0x35, 0x0d, 0x78, 0x82, 0x0f, 0x1a, 0x79, 0xa9, 0x18, 0x57, 0xde,
0x91, 0xe9, 0xeb, 0x7f, 0xfb, 0x2e, 0xf9, 0xbf, 0xef, 0x92, 0x8b, 0x7d, 0x97, 0xfc, 0x7a, 0x51,
0xda, 0x42, 0x61, 0x06, 0x51, 0x68, 0xde, 0x5c, 0xcb, 0x65, 0xad, 0x58, 0xa7, 0x37, 0x97, 0x01,
0x00, 0x00, 0xff, 0xff, 0x24, 0x64, 0x92, 0x25, 0xb1, 0x02, 0x00, 0x00,
}
func (m *PeerAuthentication) Marshal() (dAtA []byte, err error) {
size := m.Size()
dAtA = make([]byte, size)
n, err := m.MarshalToSizedBuffer(dAtA[:size])
if err != nil {
return nil, err
}
return dAtA[:n], nil
}
func (m *PeerAuthentication) MarshalTo(dAtA []byte) (int, error) {
size := m.Size()
return m.MarshalToSizedBuffer(dAtA[:size])
}
func (m *PeerAuthentication) MarshalToSizedBuffer(dAtA []byte) (int, error) {
i := len(dAtA)
_ = i
var l int
_ = l
if m.XXX_unrecognized != nil {
i -= len(m.XXX_unrecognized)
copy(dAtA[i:], m.XXX_unrecognized)
}
if len(m.PortLevelMtls) > 0 {
for k := range m.PortLevelMtls {
v := m.PortLevelMtls[k]
baseI := i
if v != nil {
{
size, err := v.MarshalToSizedBuffer(dAtA[:i])
if err != nil {
return 0, err
}
i -= size
i = encodeVarintPeerAuthentication(dAtA, i, uint64(size))
}
i--
dAtA[i] = 0x12
}
i = encodeVarintPeerAuthentication(dAtA, i, uint64(k))
i--
dAtA[i] = 0x8
i = encodeVarintPeerAuthentication(dAtA, i, uint64(baseI-i))
i--
dAtA[i] = 0x1a
}
}
if m.Mtls != nil {
{
size, err := m.Mtls.MarshalToSizedBuffer(dAtA[:i])
if err != nil {
return 0, err
}
i -= size
i = encodeVarintPeerAuthentication(dAtA, i, uint64(size))
}
i--
dAtA[i] = 0x12
}
if m.Selector != nil {
{
size, err := m.Selector.MarshalToSizedBuffer(dAtA[:i])
if err != nil {
return 0, err
}
i -= size
i = encodeVarintPeerAuthentication(dAtA, i, uint64(size))
}
i--
dAtA[i] = 0xa
}
return len(dAtA) - i, nil
}
func (m *PeerAuthentication_MutualTLS) Marshal() (dAtA []byte, err error) {
size := m.Size()
dAtA = make([]byte, size)
n, err := m.MarshalToSizedBuffer(dAtA[:size])
if err != nil {
return nil, err
}
return dAtA[:n], nil
}
func (m *PeerAuthentication_MutualTLS) MarshalTo(dAtA []byte) (int, error) {
size := m.Size()
return m.MarshalToSizedBuffer(dAtA[:size])
}
func (m *PeerAuthentication_MutualTLS) MarshalToSizedBuffer(dAtA []byte) (int, error) {
i := len(dAtA)
_ = i
var l int
_ = l
if m.XXX_unrecognized != nil {
i -= len(m.XXX_unrecognized)
copy(dAtA[i:], m.XXX_unrecognized)
}
if m.Mode != 0 {
i = encodeVarintPeerAuthentication(dAtA, i, uint64(m.Mode))
i--
dAtA[i] = 0x8
}
return len(dAtA) - i, nil
}
func encodeVarintPeerAuthentication(dAtA []byte, offset int, v uint64) int {
offset -= sovPeerAuthentication(v)
base := offset
for v >= 1<<7 {
dAtA[offset] = uint8(v&0x7f | 0x80)
v >>= 7
offset++
}
dAtA[offset] = uint8(v)
return base
}
func (m *PeerAuthentication) Size() (n int) {
if m == nil {
return 0
}
var l int
_ = l
if m.Selector != nil {
l = m.Selector.Size()
n += 1 + l + sovPeerAuthentication(uint64(l))
}
if m.Mtls != nil {
l = m.Mtls.Size()
n += 1 + l + sovPeerAuthentication(uint64(l))
}
if len(m.PortLevelMtls) > 0 {
for k, v := range m.PortLevelMtls {
_ = k
_ = v
l = 0
if v != nil {
l = v.Size()
l += 1 + sovPeerAuthentication(uint64(l))
}
mapEntrySize := 1 + sovPeerAuthentication(uint64(k)) + l
n += mapEntrySize + 1 + sovPeerAuthentication(uint64(mapEntrySize))
}
}
if m.XXX_unrecognized != nil {
n += len(m.XXX_unrecognized)
}
return n
}
func (m *PeerAuthentication_MutualTLS) Size() (n int) {
if m == nil {
return 0
}
var l int
_ = l
if m.Mode != 0 {
n += 1 + sovPeerAuthentication(uint64(m.Mode))
}
if m.XXX_unrecognized != nil {
n += len(m.XXX_unrecognized)
}
return n
}
func sovPeerAuthentication(x uint64) (n int) {
return (math_bits.Len64(x|1) + 6) / 7
}
func sozPeerAuthentication(x uint64) (n int) {
return sovPeerAuthentication(uint64((x << 1) ^ uint64((int64(x) >> 63))))
}
func (m *PeerAuthentication) Unmarshal(dAtA []byte) error {
l := len(dAtA)
iNdEx := 0
for iNdEx < l {
preIndex := iNdEx
var wire uint64
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowPeerAuthentication
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
wire |= uint64(b&0x7F) << shift
if b < 0x80 {
break
}
}
fieldNum := int32(wire >> 3)
wireType := int(wire & 0x7)
if wireType == 4 {
return fmt.Errorf("proto: PeerAuthentication: wiretype end group for non-group")
}
if fieldNum <= 0 {
return fmt.Errorf("proto: PeerAuthentication: illegal tag %d (wire type %d)", fieldNum, wire)
}
switch fieldNum {
case 1:
if wireType != 2 {
return fmt.Errorf("proto: wrong wireType = %d for field Selector", wireType)
}
var msglen int
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowPeerAuthentication
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
msglen |= int(b&0x7F) << shift
if b < 0x80 {
break
}
}
if msglen < 0 {
return ErrInvalidLengthPeerAuthentication
}
postIndex := iNdEx + msglen
if postIndex < 0 {
return ErrInvalidLengthPeerAuthentication
}
if postIndex > l {
return io.ErrUnexpectedEOF
}
if m.Selector == nil {
m.Selector = &v1beta1.WorkloadSelector{}
}
if err := m.Selector.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
return err
}
iNdEx = postIndex
case 2:
if wireType != 2 {
return fmt.Errorf("proto: wrong wireType = %d for field Mtls", wireType)
}
var msglen int
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowPeerAuthentication
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
msglen |= int(b&0x7F) << shift
if b < 0x80 {
break
}
}
if msglen < 0 {
return ErrInvalidLengthPeerAuthentication
}
postIndex := iNdEx + msglen
if postIndex < 0 {
return ErrInvalidLengthPeerAuthentication
}
if postIndex > l {
return io.ErrUnexpectedEOF
}
if m.Mtls == nil {
m.Mtls = &PeerAuthentication_MutualTLS{}
}
if err := m.Mtls.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
return err
}
iNdEx = postIndex
case 3:
if wireType != 2 {
return fmt.Errorf("proto: wrong wireType = %d for field PortLevelMtls", wireType)
}
var msglen int
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowPeerAuthentication
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
msglen |= int(b&0x7F) << shift
if b < 0x80 {
break
}
}
if msglen < 0 {
return ErrInvalidLengthPeerAuthentication
}
postIndex := iNdEx + msglen
if postIndex < 0 {
return ErrInvalidLengthPeerAuthentication
}
if postIndex > l {
return io.ErrUnexpectedEOF
}
if m.PortLevelMtls == nil {
m.PortLevelMtls = make(map[uint32]*PeerAuthentication_MutualTLS)
}
var mapkey uint32
var mapvalue *PeerAuthentication_MutualTLS
for iNdEx < postIndex {
entryPreIndex := iNdEx
var wire uint64
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowPeerAuthentication
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
wire |= uint64(b&0x7F) << shift
if b < 0x80 {
break
}
}
fieldNum := int32(wire >> 3)
if fieldNum == 1 {
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowPeerAuthentication
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
mapkey |= uint32(b&0x7F) << shift
if b < 0x80 {
break
}
}
} else if fieldNum == 2 {
var mapmsglen int
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowPeerAuthentication
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
mapmsglen |= int(b&0x7F) << shift
if b < 0x80 {
break
}
}
if mapmsglen < 0 {
return ErrInvalidLengthPeerAuthentication
}
postmsgIndex := iNdEx + mapmsglen
if postmsgIndex < 0 {
return ErrInvalidLengthPeerAuthentication
}
if postmsgIndex > l {
return io.ErrUnexpectedEOF
}
mapvalue = &PeerAuthentication_MutualTLS{}
if err := mapvalue.Unmarshal(dAtA[iNdEx:postmsgIndex]); err != nil {
return err
}
iNdEx = postmsgIndex
} else {
iNdEx = entryPreIndex
skippy, err := skipPeerAuthentication(dAtA[iNdEx:])
if err != nil {
return err
}
if skippy < 0 {
return ErrInvalidLengthPeerAuthentication
}
if (iNdEx + skippy) > postIndex {
return io.ErrUnexpectedEOF
}
iNdEx += skippy
}
}
m.PortLevelMtls[mapkey] = mapvalue
iNdEx = postIndex
default:
iNdEx = preIndex
skippy, err := skipPeerAuthentication(dAtA[iNdEx:])
if err != nil {
return err
}
if skippy < 0 {
return ErrInvalidLengthPeerAuthentication
}
if (iNdEx + skippy) < 0 {
return ErrInvalidLengthPeerAuthentication
}
if (iNdEx + skippy) > l {
return io.ErrUnexpectedEOF
}
m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
iNdEx += skippy
}
}
if iNdEx > l {
return io.ErrUnexpectedEOF
}
return nil
}
func (m *PeerAuthentication_MutualTLS) Unmarshal(dAtA []byte) error {
l := len(dAtA)
iNdEx := 0
for iNdEx < l {
preIndex := iNdEx
var wire uint64
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowPeerAuthentication
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
wire |= uint64(b&0x7F) << shift
if b < 0x80 {
break
}
}
fieldNum := int32(wire >> 3)
wireType := int(wire & 0x7)
if wireType == 4 {
return fmt.Errorf("proto: MutualTLS: wiretype end group for non-group")
}
if fieldNum <= 0 {
return fmt.Errorf("proto: MutualTLS: illegal tag %d (wire type %d)", fieldNum, wire)
}
switch fieldNum {
case 1:
if wireType != 0 {
return fmt.Errorf("proto: wrong wireType = %d for field Mode", wireType)
}
m.Mode = 0
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowPeerAuthentication
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
m.Mode |= PeerAuthentication_MutualTLS_Mode(b&0x7F) << shift
if b < 0x80 {
break
}
}
default:
iNdEx = preIndex
skippy, err := skipPeerAuthentication(dAtA[iNdEx:])
if err != nil {
return err
}
if skippy < 0 {
return ErrInvalidLengthPeerAuthentication
}
if (iNdEx + skippy) < 0 {
return ErrInvalidLengthPeerAuthentication
}
if (iNdEx + skippy) > l {
return io.ErrUnexpectedEOF
}
m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
iNdEx += skippy
}
}
if iNdEx > l {
return io.ErrUnexpectedEOF
}
return nil
}
func skipPeerAuthentication(dAtA []byte) (n int, err error) {
l := len(dAtA)
iNdEx := 0
for iNdEx < l {
var wire uint64
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return 0, ErrIntOverflowPeerAuthentication
}
if iNdEx >= l {
return 0, io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
wire |= (uint64(b) & 0x7F) << shift
if b < 0x80 {
break
}
}
wireType := int(wire & 0x7)
switch wireType {
case 0:
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return 0, ErrIntOverflowPeerAuthentication
}
if iNdEx >= l {
return 0, io.ErrUnexpectedEOF
}
iNdEx++
if dAtA[iNdEx-1] < 0x80 {
break
}
}
return iNdEx, nil
case 1:
iNdEx += 8
return iNdEx, nil
case 2:
var length int
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return 0, ErrIntOverflowPeerAuthentication
}
if iNdEx >= l {
return 0, io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
length |= (int(b) & 0x7F) << shift
if b < 0x80 {
break
}
}
if length < 0 {
return 0, ErrInvalidLengthPeerAuthentication
}
iNdEx += length
if iNdEx < 0 {
return 0, ErrInvalidLengthPeerAuthentication
}
return iNdEx, nil
case 3:
for {
var innerWire uint64
var start int = iNdEx
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return 0, ErrIntOverflowPeerAuthentication
}
if iNdEx >= l {
return 0, io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
innerWire |= (uint64(b) & 0x7F) << shift
if b < 0x80 {
break
}
}
innerWireType := int(innerWire & 0x7)
if innerWireType == 4 {
break
}
next, err := skipPeerAuthentication(dAtA[start:])
if err != nil {
return 0, err
}
iNdEx = start + next
if iNdEx < 0 {
return 0, ErrInvalidLengthPeerAuthentication
}
}
return iNdEx, nil
case 4:
return iNdEx, nil
case 5:
iNdEx += 4
return iNdEx, nil
default:
return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
}
}
panic("unreachable")
}
var (
ErrInvalidLengthPeerAuthentication = fmt.Errorf("proto: negative length found during unmarshaling")
ErrIntOverflowPeerAuthentication = fmt.Errorf("proto: integer overflow")
)

209
vendor/istio.io/api/security/v1beta1/peer_authentication.pb.html generated vendored Normal file
View File

@@ -0,0 +1,209 @@
---
title: PeerAuthentication
description: Peer authentication configuration for workloads.
location: https://istio.io/docs/reference/config/security/peer_authentication.html
layout: protoc-gen-docs
generator: protoc-gen-docs
schema: istio.security.v1beta1.PeerAuthentication
aliases: [/docs/reference/config/security/v1beta1/peer_authentication]
number_of_entries: 3
---
<h2 id="PeerAuthentication">PeerAuthentication</h2>
<section>
<p>PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar.</p>
<p>Examples:</p>
<p>Policy to allow mTLS traffic for all workloads under namespace <code>foo</code>:</p>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: foo
spec:
mtls:
mode: STRICT
</code></pre>
<p>For mesh level, put the policy in root-namespace according to your Istio installation.</p>
<p>Policies to allow both mTLS &amp; plaintext traffic for all workloads under namespace <code>foo</code>, but
require mTLS for workload <code>finance</code>.</p>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: foo
spec:
mtls:
mode: PERMISSIVE
---
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: foo
spec:
selector:
matchLabels:
app: finance
mtls:
mode: STRICT
</code></pre>
<p>Policy to allow mTLS strict for all workloads, but leave port 8080 to
plaintext:</p>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: foo
spec:
selector:
matchLabels:
app: finance
mtls:
mode: STRICT
portLevelMtls:
8080:
mode: DISABLE
</code></pre>
<p>Policy to inherite mTLS mode from namespace (or mesh) settings, and overwrite
settings for port 8080</p>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: foo
spec:
selector:
matchLabels:
app: finance
mtls:
mode: UNSET
portLevelMtls:
8080:
mode: DISABLE
</code></pre>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="PeerAuthentication-selector">
<td><code>selector</code></td>
<td><code><a href="https://istio.io/latest/docs/reference/config/networking/sidecar/#WorkloadSelector">WorkloadSelector</a></code></td>
<td>
<p>The selector determines the workloads to apply the ChannelAuthentication on.
If not set, the policy will be applied to all workloads in the same namespace as the policy.</p>
</td>
<td>
No
</td>
</tr>
<tr id="PeerAuthentication-mtls">
<td><code>mtls</code></td>
<td><code><a href="#PeerAuthentication-MutualTLS">MutualTLS</a></code></td>
<td>
<p>Mutual TLS settings for workload. If not defined, inherit from parent.</p>
</td>
<td>
No
</td>
</tr>
<tr id="PeerAuthentication-port_level_mtls">
<td><code>portLevelMtls</code></td>
<td><code>map&lt;uint32,&nbsp;<a href="#PeerAuthentication-MutualTLS">MutualTLS</a>&gt;</code></td>
<td>
<p>Port specific mutual TLS settings.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="PeerAuthentication-MutualTLS">PeerAuthentication.MutualTLS</h2>
<section>
<p>Mutual TLS settings.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="PeerAuthentication-MutualTLS-mode">
<td><code>mode</code></td>
<td><code><a href="#PeerAuthentication-MutualTLS-Mode">Mode</a></code></td>
<td>
<p>Defines the mTLS mode used for peer authentication.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="PeerAuthentication-MutualTLS-Mode">PeerAuthentication.MutualTLS.Mode</h2>
<section>
<table class="enum-values">
<thead>
<tr>
<th>Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="PeerAuthentication-MutualTLS-Mode-UNSET">
<td><code>UNSET</code></td>
<td>
<p>Inherit from parent, if has one. Otherwise treated as PERMISSIVE.</p>
</td>
</tr>
<tr id="PeerAuthentication-MutualTLS-Mode-DISABLE">
<td><code>DISABLE</code></td>
<td>
<p>Connection is not tunneled.</p>
</td>
</tr>
<tr id="PeerAuthentication-MutualTLS-Mode-PERMISSIVE">
<td><code>PERMISSIVE</code></td>
<td>
<p>Connection can be either plaintext or mTLS tunnel.</p>
</td>
</tr>
<tr id="PeerAuthentication-MutualTLS-Mode-STRICT">
<td><code>STRICT</code></td>
<td>
<p>Connection is an mTLS tunnel (TLS with client cert must be presented).</p>
</td>
</tr>
</tbody>
</table>
</section>

154
vendor/istio.io/api/security/v1beta1/peer_authentication.proto generated vendored Normal file
View File

@@ -0,0 +1,154 @@
// Copyright 2020 Istio Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = "proto3";
import "type/v1beta1/selector.proto";
// $schema: istio.security.v1beta1.PeerAuthentication
// $title: PeerAuthentication
// $description: Peer authentication configuration for workloads.
// $location: https://istio.io/docs/reference/config/security/peer_authentication.html
// $aliases: [/docs/reference/config/security/v1beta1/peer_authentication]
package istio.security.v1beta1;
option go_package="istio.io/api/security/v1beta1";
// PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar.
//
// Examples:
//
// Policy to allow mTLS traffic for all workloads under namespace `foo`:
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: PeerAuthentication
// metadata:
// name: default
// namespace: foo
// spec:
// mtls:
// mode: STRICT
// ```
// For mesh level, put the policy in root-namespace according to your Istio installation.
//
// Policies to allow both mTLS & plaintext traffic for all workloads under namespace `foo`, but
// require mTLS for workload `finance`.
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: PeerAuthentication
// metadata:
// name: default
// namespace: foo
// spec:
// mtls:
// mode: PERMISSIVE
// ---
// apiVersion: security.istio.io/v1beta1
// kind: PeerAuthentication
// metadata:
// name: default
// namespace: foo
// spec:
// selector:
// matchLabels:
// app: finance
// mtls:
// mode: STRICT
// ```
// Policy to allow mTLS strict for all workloads, but leave port 8080 to
// plaintext:
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: PeerAuthentication
// metadata:
// name: default
// namespace: foo
// spec:
// selector:
// matchLabels:
// app: finance
// mtls:
// mode: STRICT
// portLevelMtls:
// 8080:
// mode: DISABLE
// ```
// Policy to inherite mTLS mode from namespace (or mesh) settings, and overwrite
// settings for port 8080
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: PeerAuthentication
// metadata:
// name: default
// namespace: foo
// spec:
// selector:
// matchLabels:
// app: finance
// mtls:
// mode: UNSET
// portLevelMtls:
// 8080:
// mode: DISABLE
// ```
//
// <!-- crd generation tags
// +cue-gen:PeerAuthentication:groupName:security.istio.io
// +cue-gen:PeerAuthentication:version:v1beta1
// +cue-gen:PeerAuthentication:storageVersion
// +cue-gen:PeerAuthentication:annotations:helm.sh/resource-policy=keep
// +cue-gen:PeerAuthentication:labels:app=istio-pilot,chart=istio,istio=security,heritage=Tiller,release=istio
// +cue-gen:PeerAuthentication:subresource:status
// +cue-gen:PeerAuthentication:scope:Namespaced
// +cue-gen:PeerAuthentication:resource:categories=istio-io,security-istio-io,shortNames=pa
// +cue-gen:PeerAuthentication:preserveUnknownFields:false
// -->
//
// <!-- go code generation tags
// +kubetype-gen
// +kubetype-gen:groupVersion=security.istio.io/v1beta1
// +genclient
// +k8s:deepcopy-gen=true
// -->
message PeerAuthentication {
// The selector determines the workloads to apply the ChannelAuthentication on.
// If not set, the policy will be applied to all workloads in the same namespace as the policy.
istio.type.v1beta1.WorkloadSelector selector = 1;
// Mutual TLS settings.
message MutualTLS {
enum Mode {
// Inherit from parent, if has one. Otherwise treated as PERMISSIVE.
UNSET = 0;
// Connection is not tunneled.
DISABLE = 1;
// Connection can be either plaintext or mTLS tunnel.
PERMISSIVE = 2;
// Connection is an mTLS tunnel (TLS with client cert must be presented).
STRICT = 3;
}
// Defines the mTLS mode used for peer authentication.
Mode mode = 1;
}
// Mutual TLS settings for workload. If not defined, inherit from parent.
MutualTLS mtls = 2;
// Port specific mutual TLS settings.
map<uint32, MutualTLS> port_level_mtls = 3;
}

22
vendor/istio.io/api/security/v1beta1/peer_authentication_deepcopy.gen.go generated vendored Normal file
View File

@@ -0,0 +1,22 @@
// Code generated by protoc-gen-gogo. DO NOT EDIT.
// source: security/v1beta1/peer_authentication.proto
package v1beta1
import (
fmt "fmt"
proto "github.com/gogo/protobuf/proto"
_ "istio.io/api/type/v1beta1"
math "math"
)
// Reference imports to suppress errors if they are not otherwise used.
var _ = proto.Marshal
var _ = fmt.Errorf
var _ = math.Inf
// DeepCopyInto supports using PeerAuthentication within kubernetes types, where deepcopy-gen is used.
func (in *PeerAuthentication) DeepCopyInto(out *PeerAuthentication) {
p := proto.Clone(in).(*PeerAuthentication)
*out = *p
}

45
vendor/istio.io/api/security/v1beta1/peer_authentication_json.gen.go generated vendored Normal file
View File

@@ -0,0 +1,45 @@
// Code generated by protoc-gen-gogo. DO NOT EDIT.
// source: security/v1beta1/peer_authentication.proto
package v1beta1
import (
bytes "bytes"
fmt "fmt"
github_com_gogo_protobuf_jsonpb "github.com/gogo/protobuf/jsonpb"
proto "github.com/gogo/protobuf/proto"
_ "istio.io/api/type/v1beta1"
math "math"
)
// Reference imports to suppress errors if they are not otherwise used.
var _ = proto.Marshal
var _ = fmt.Errorf
var _ = math.Inf
// MarshalJSON is a custom marshaler for PeerAuthentication
func (this *PeerAuthentication) MarshalJSON() ([]byte, error) {
str, err := PeerAuthenticationMarshaler.MarshalToString(this)
return []byte(str), err
}
// UnmarshalJSON is a custom unmarshaler for PeerAuthentication
func (this *PeerAuthentication) UnmarshalJSON(b []byte) error {
return PeerAuthenticationUnmarshaler.Unmarshal(bytes.NewReader(b), this)
}
// MarshalJSON is a custom marshaler for PeerAuthentication_MutualTLS
func (this *PeerAuthentication_MutualTLS) MarshalJSON() ([]byte, error) {
str, err := PeerAuthenticationMarshaler.MarshalToString(this)
return []byte(str), err
}
// UnmarshalJSON is a custom unmarshaler for PeerAuthentication_MutualTLS
func (this *PeerAuthentication_MutualTLS) UnmarshalJSON(b []byte) error {
return PeerAuthenticationUnmarshaler.Unmarshal(bytes.NewReader(b), this)
}
var (
PeerAuthenticationMarshaler = &github_com_gogo_protobuf_jsonpb.Marshaler{}
PeerAuthenticationUnmarshaler = &github_com_gogo_protobuf_jsonpb.Unmarshaler{}
)

110
vendor/istio.io/api/security/v1beta1/request_authentication.gen.json generated vendored Normal file
View File

@@ -0,0 +1,110 @@
{
"openapi": "3.0.0",
"info": {
"title": "Request authentication configuration for workloads.",
"version": "v1beta1"
},
"components": {
"schemas": {
"istio.security.v1beta1.JWTRule": {
"description": "JSON Web Token (JWT) token format for authentication as defined by [RFC 7519](https://tools.ietf.org/html/rfc7519). See [OAuth 2.0](https://tools.ietf.org/html/rfc6749) and [OIDC 1.0](http://openid.net/connect) for how this is used in the whole authentication flow.",
"type": "object",
"properties": {
"issuer": {
"description": "Identifies the issuer that issued the JWT. See [issuer](https://tools.ietf.org/html/rfc7519#section-4.1.1) A JWT with different `iss` claim will be rejected.",
"type": "string",
"format": "string"
},
"audiences": {
"description": "The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3). that are allowed to access. A JWT containing any of these audiences will be accepted.",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
},
"jwksUri": {
"description": "URL of the provider's public key set to validate signature of the JWT. See [OpenID Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).",
"type": "string",
"format": "string"
},
"jwks": {
"description": "JSON Web Key Set of public keys to validate signature of the JWT. See https://auth0.com/docs/jwks.",
"type": "string",
"format": "string"
},
"fromHeaders": {
"description": "List of header locations from which JWT is expected. For example, below is the location spec if JWT is expected to be found in `x-jwt-assertion` header, and have \"Bearer \" prefix: ``` fromHeaders: - name: x-jwt-assertion prefix: \"Bearer \" ```",
"type": "array",
"items": {
"$ref": "#/components/schemas/istio.security.v1beta1.JWTHeader"
}
},
"fromParams": {
"description": "List of query parameters from which JWT is expected. For example, if JWT is provided via query parameter `my_token` (e.g /path?my_token=\u003cJWT\u003e), the config is: ``` fromParams: - \"my_token\" ```",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
},
"outputPayloadToHeader": {
"description": "This field specifies the header name to output a successfully verified JWT payload to the backend. The forwarded data is `base64_encoded(jwt_payload_in_JSON)`. If it is not specified, the payload will not be emitted.",
"type": "string",
"format": "string"
},
"forwardOriginalToken": {
"description": "If set to true, the orginal token will be kept for the ustream request. Default is false.",
"type": "boolean"
}
}
},
"istio.security.v1beta1.JWTHeader": {
"description": "This message specifies a header location to extract JWT token.",
"type": "object",
"properties": {
"name": {
"description": "The HTTP header name.",
"type": "string",
"format": "string"
},
"prefix": {
"description": "The prefix that should be stripped before decoding the token. For example, for \"Authorization: Bearer \u003ctoken\u003e\", prefix=\"Bearer \" with a space at the end. If the header doesn't have this exact prefix, it is considerred invalid.",
"type": "string",
"format": "string"
}
}
},
"istio.security.v1beta1.RequestAuthentication": {
"description": "RequestAuthentication defines what request authentication methods are supported by a workload. If will reject a request if the request contains invalid authentication information, based on the configured authentication rules. A request that does not contain any authentication credentials will be accepted but will not have any authenticated identity. To restrict access to authenticated requests only, this should be accompanied by an authorization rule. Examples: - Require JWT for all request for workloads that have label `app:httpbin`",
"type": "object",
"properties": {
"selector": {
"$ref": "#/components/schemas/istio.type.v1beta1.WorkloadSelector"
},
"jwtRules": {
"description": "Define the list of JWTs that can be validated at the selected workloads' proxy. A valid token will be used to extract the authenticated identity. Each rule will be activated only when a token is presented at the location recorgnized by the rule. The token will be validated based on the JWT rule config. If validation fails, the request will be rejected. Note: if more than one token is presented (at different locations), the output principal is nondeterministic.",
"type": "array",
"items": {
"$ref": "#/components/schemas/istio.security.v1beta1.JWTRule"
}
}
}
},
"istio.type.v1beta1.WorkloadSelector": {
"description": "The selector determines the workloads to apply the RequestAuthentication on. If not set, the policy will be applied to all workloads in the same namespace as the policy.",
"type": "object",
"properties": {
"matchLabels": {
"description": "One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. The scope of label search is restricted to the configuration namespace in which the resource is present.",
"type": "object",
"additionalProperties": {
"type": "string",
"format": "string"
}
}
}
}
}
}
}

560
vendor/istio.io/api/security/v1beta1/request_authentication.pb.go generated vendored Normal file
View File

@@ -0,0 +1,560 @@
// Code generated by protoc-gen-gogo. DO NOT EDIT.
// source: security/v1beta1/request_authentication.proto
package v1beta1
import (
fmt "fmt"
proto "github.com/gogo/protobuf/proto"
io "io"
v1beta1 "istio.io/api/type/v1beta1"
math "math"
math_bits "math/bits"
)
// Reference imports to suppress errors if they are not otherwise used.
var _ = proto.Marshal
var _ = fmt.Errorf
var _ = math.Inf
// This is a compile-time assertion to ensure that this generated file
// is compatible with the proto package it is being compiled against.
// A compilation error at this line likely means your copy of the
// proto package needs to be updated.
const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
// RequestAuthentication defines what request authentication methods are supported by a workload.
// If will reject a request if the request contains invalid authentication information, based on the
// configured authentication rules. A request that does not contain any authentication credentials
// will be accepted but will not have any authenticated identity. To restrict access to authenticated
// requests only, this should be accompanied by an authorization rule.
// Examples:
//
// - Require JWT for all request for workloads that have label `app:httpbin`
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: RequestAuthentication
// metadata:
// name: httpbin
// namespace: foo
// spec:
// selector:
// matchLabels:
// app: httpbin
// jwtRules:
// - issuer: "issuer-foo"
// jwksUri: https://example.com/.well-known/jwks.json
// ---
// apiVersion: security.istio.io/v1beta1
// kind: AuthorizationPolicy
// metadata:
// name: httpbin
// namespace: foo
// spec:
// selector:
// matchLabels:
// app: httpbin
// rules:
// - from:
// - source:
// requestPrincipals: ["*"]
// ```
//
// - The next example shows how to set a different JWT requirement for a different `host`. The `RequestAuthentication`
// declares it can accpet JWTs issuer by either `issuer-foo` or `issuer-bar` (the public key set is implicitly
// set from the OpenID Connect spec).
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: RequestAuthentication
// metadata:
// name: httpbin
// namespace: foo
// spec:
// selector:
// matchLabels:
// app: httpbin
// jwtRules:
// - issuer: "issuer-foo"
// - issuer: "issuer-bar"
// ---
// apiVersion: security.istio.io/v1beta1
// kind: AuthorizationPolicy
// metadata:
// name: httpbin
// namespace: foo
// spec:
// selector:
// matchLabels:
// app: httpbin
// rules:
// - from:
// - source:
// requestPrincipals: ["issuer-foo/*"]
// to:
// hosts: ["example.com"]
// - from:
// - source:
// requestPrincipals: ["issuer-bar/*"]
// to:
// hosts: ["another-host.com"]
// ```
//
// - You can fine tune the authorization policy to set different requirement per path. For example,
// to require JWT on all paths, except /healthz, the same `RequestAuthentication` can be used, but the
// authorization policy could be:
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: AuthorizationPolicy
// metadata:
// name: httpbin
// namespace: foo
// spec:
// selector:
// matchLabels:
// app: httpbin
// rules:
// - from:
// - source:
// requestPrincipals: ["*"]
// - to:
// - operation:
// paths: ["/healthz]
// ```
//
// <!-- crd generation tags
// +cue-gen:RequestAuthentication:groupName:security.istio.io
// +cue-gen:RequestAuthentication:version:v1beta1
// +cue-gen:RequestAuthentication:storageVersion
// +cue-gen:RequestAuthentication:annotations:helm.sh/resource-policy=keep
// +cue-gen:RequestAuthentication:labels:app=istio-pilot,chart=istio,istio=security,heritage=Tiller,release=istio
// +cue-gen:RequestAuthentication:subresource:status
// +cue-gen:RequestAuthentication:scope:Namespaced
// +cue-gen:RequestAuthentication:resource:categories=istio-io,security-istio-io,shortNames=ra
// +cue-gen:RequestAuthentication:preserveUnknownFields:false
// -->
//
// <!-- go code generation tags
// +kubetype-gen
// +kubetype-gen:groupVersion=security.istio.io/v1beta1
// +genclient
// +k8s:deepcopy-gen=true
// -->
type RequestAuthentication struct {
// The selector determines the workloads to apply the RequestAuthentication on.
// If not set, the policy will be applied to all workloads in the same namespace as the policy.
Selector *v1beta1.WorkloadSelector `protobuf:"bytes,1,opt,name=selector,proto3" json:"selector,omitempty"`
// Define the list of JWTs that can be validated at the selected workloads' proxy. A valid token
// will be used to extract the authenticated identity.
// Each rule will be activated only when a token is presented at the location recorgnized by the
// rule. The token will be validated based on the JWT rule config. If validation fails, the request will
// be rejected.
// Note: if more than one token is presented (at different locations), the output principal is nondeterministic.
JwtRules []*JWTRule `protobuf:"bytes,2,rep,name=jwt_rules,json=jwtRules,proto3" json:"jwt_rules,omitempty"`
XXX_NoUnkeyedLiteral struct{} `json:"-"`
XXX_unrecognized []byte `json:"-"`
XXX_sizecache int32 `json:"-"`
}
func (m *RequestAuthentication) Reset() { *m = RequestAuthentication{} }
func (m *RequestAuthentication) String() string { return proto.CompactTextString(m) }
func (*RequestAuthentication) ProtoMessage() {}
func (*RequestAuthentication) Descriptor() ([]byte, []int) {
return fileDescriptor_4a3374592471772b, []int{0}
}
func (m *RequestAuthentication) XXX_Unmarshal(b []byte) error {
return m.Unmarshal(b)
}
func (m *RequestAuthentication) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
if deterministic {
return xxx_messageInfo_RequestAuthentication.Marshal(b, m, deterministic)
} else {
b = b[:cap(b)]
n, err := m.MarshalToSizedBuffer(b)
if err != nil {
return nil, err
}
return b[:n], nil
}
}
func (m *RequestAuthentication) XXX_Merge(src proto.Message) {
xxx_messageInfo_RequestAuthentication.Merge(m, src)
}
func (m *RequestAuthentication) XXX_Size() int {
return m.Size()
}
func (m *RequestAuthentication) XXX_DiscardUnknown() {
xxx_messageInfo_RequestAuthentication.DiscardUnknown(m)
}
var xxx_messageInfo_RequestAuthentication proto.InternalMessageInfo
func (m *RequestAuthentication) GetSelector() *v1beta1.WorkloadSelector {
if m != nil {
return m.Selector
}
return nil
}
func (m *RequestAuthentication) GetJwtRules() []*JWTRule {
if m != nil {
return m.JwtRules
}
return nil
}
func init() {
proto.RegisterType((*RequestAuthentication)(nil), "istio.security.v1beta1.RequestAuthentication")
}
func init() {
proto.RegisterFile("security/v1beta1/request_authentication.proto", fileDescriptor_4a3374592471772b)
}
var fileDescriptor_4a3374592471772b = []byte{
// 233 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xe2, 0xd2, 0x2d, 0x4e, 0x4d, 0x2e,
0x2d, 0xca, 0x2c, 0xa9, 0xd4, 0x2f, 0x33, 0x4c, 0x4a, 0x2d, 0x49, 0x34, 0xd4, 0x2f, 0x4a, 0x2d,
0x2c, 0x4d, 0x2d, 0x2e, 0x89, 0x4f, 0x2c, 0x2d, 0xc9, 0x48, 0xcd, 0x2b, 0xc9, 0x4c, 0x4e, 0x2c,
0xc9, 0xcc, 0xcf, 0xd3, 0x2b, 0x28, 0xca, 0x2f, 0xc9, 0x17, 0x12, 0xcb, 0x2c, 0x2e, 0xc9, 0xcc,
0xd7, 0x83, 0x69, 0xd2, 0x83, 0x6a, 0x92, 0x92, 0x2e, 0xa9, 0x2c, 0x48, 0x85, 0x1b, 0x51, 0x9c,
0x9a, 0x93, 0x9a, 0x5c, 0x92, 0x5f, 0x04, 0xd1, 0x24, 0x25, 0x85, 0x61, 0x47, 0x56, 0x79, 0x09,
0x44, 0x4e, 0x69, 0x3a, 0x23, 0x97, 0x68, 0x10, 0xc4, 0x46, 0x47, 0x14, 0x0b, 0x85, 0x1c, 0xb8,
0x38, 0x60, 0xe6, 0x48, 0x30, 0x2a, 0x30, 0x6a, 0x70, 0x1b, 0xa9, 0xe8, 0x41, 0x6c, 0x07, 0xd9,
0x05, 0xb3, 0x59, 0x2f, 0x3c, 0xbf, 0x28, 0x3b, 0x27, 0x3f, 0x31, 0x25, 0x18, 0xaa, 0x36, 0x08,
0xae, 0x4b, 0xc8, 0x86, 0x8b, 0x33, 0xab, 0xbc, 0x24, 0xbe, 0xa8, 0x34, 0x27, 0xb5, 0x58, 0x82,
0x49, 0x81, 0x59, 0x83, 0xdb, 0x48, 0x5e, 0x0f, 0xbb, 0x07, 0xf4, 0xbc, 0xc2, 0x43, 0x82, 0x4a,
0x73, 0x52, 0x83, 0x38, 0xb2, 0xca, 0x4b, 0x40, 0x8c, 0x62, 0x27, 0xed, 0x13, 0x8f, 0xe4, 0x18,
0x2f, 0x3c, 0x92, 0x63, 0x7c, 0xf0, 0x48, 0x8e, 0x31, 0x4a, 0x16, 0xa2, 0x2f, 0x33, 0x5f, 0x3f,
0xb1, 0x20, 0x53, 0x1f, 0xdd, 0x43, 0x49, 0x6c, 0x60, 0xdf, 0x18, 0x03, 0x02, 0x00, 0x00, 0xff,
0xff, 0xe1, 0xe0, 0xd4, 0xfd, 0x4f, 0x01, 0x00, 0x00,
}
func (m *RequestAuthentication) Marshal() (dAtA []byte, err error) {
size := m.Size()
dAtA = make([]byte, size)
n, err := m.MarshalToSizedBuffer(dAtA[:size])
if err != nil {
return nil, err
}
return dAtA[:n], nil
}
func (m *RequestAuthentication) MarshalTo(dAtA []byte) (int, error) {
size := m.Size()
return m.MarshalToSizedBuffer(dAtA[:size])
}
func (m *RequestAuthentication) MarshalToSizedBuffer(dAtA []byte) (int, error) {
i := len(dAtA)
_ = i
var l int
_ = l
if m.XXX_unrecognized != nil {
i -= len(m.XXX_unrecognized)
copy(dAtA[i:], m.XXX_unrecognized)
}
if len(m.JwtRules) > 0 {
for iNdEx := len(m.JwtRules) - 1; iNdEx >= 0; iNdEx-- {
{
size, err := m.JwtRules[iNdEx].MarshalToSizedBuffer(dAtA[:i])
if err != nil {
return 0, err
}
i -= size
i = encodeVarintRequestAuthentication(dAtA, i, uint64(size))
}
i--
dAtA[i] = 0x12
}
}
if m.Selector != nil {
{
size, err := m.Selector.MarshalToSizedBuffer(dAtA[:i])
if err != nil {
return 0, err
}
i -= size
i = encodeVarintRequestAuthentication(dAtA, i, uint64(size))
}
i--
dAtA[i] = 0xa
}
return len(dAtA) - i, nil
}
func encodeVarintRequestAuthentication(dAtA []byte, offset int, v uint64) int {
offset -= sovRequestAuthentication(v)
base := offset
for v >= 1<<7 {
dAtA[offset] = uint8(v&0x7f | 0x80)
v >>= 7
offset++
}
dAtA[offset] = uint8(v)
return base
}
func (m *RequestAuthentication) Size() (n int) {
if m == nil {
return 0
}
var l int
_ = l
if m.Selector != nil {
l = m.Selector.Size()
n += 1 + l + sovRequestAuthentication(uint64(l))
}
if len(m.JwtRules) > 0 {
for _, e := range m.JwtRules {
l = e.Size()
n += 1 + l + sovRequestAuthentication(uint64(l))
}
}
if m.XXX_unrecognized != nil {
n += len(m.XXX_unrecognized)
}
return n
}
func sovRequestAuthentication(x uint64) (n int) {
return (math_bits.Len64(x|1) + 6) / 7
}
func sozRequestAuthentication(x uint64) (n int) {
return sovRequestAuthentication(uint64((x << 1) ^ uint64((int64(x) >> 63))))
}
func (m *RequestAuthentication) Unmarshal(dAtA []byte) error {
l := len(dAtA)
iNdEx := 0
for iNdEx < l {
preIndex := iNdEx
var wire uint64
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowRequestAuthentication
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
wire |= uint64(b&0x7F) << shift
if b < 0x80 {
break
}
}
fieldNum := int32(wire >> 3)
wireType := int(wire & 0x7)
if wireType == 4 {
return fmt.Errorf("proto: RequestAuthentication: wiretype end group for non-group")
}
if fieldNum <= 0 {
return fmt.Errorf("proto: RequestAuthentication: illegal tag %d (wire type %d)", fieldNum, wire)
}
switch fieldNum {
case 1:
if wireType != 2 {
return fmt.Errorf("proto: wrong wireType = %d for field Selector", wireType)
}
var msglen int
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowRequestAuthentication
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
msglen |= int(b&0x7F) << shift
if b < 0x80 {
break
}
}
if msglen < 0 {
return ErrInvalidLengthRequestAuthentication
}
postIndex := iNdEx + msglen
if postIndex < 0 {
return ErrInvalidLengthRequestAuthentication
}
if postIndex > l {
return io.ErrUnexpectedEOF
}
if m.Selector == nil {
m.Selector = &v1beta1.WorkloadSelector{}
}
if err := m.Selector.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
return err
}
iNdEx = postIndex
case 2:
if wireType != 2 {
return fmt.Errorf("proto: wrong wireType = %d for field JwtRules", wireType)
}
var msglen int
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowRequestAuthentication
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
msglen |= int(b&0x7F) << shift
if b < 0x80 {
break
}
}
if msglen < 0 {
return ErrInvalidLengthRequestAuthentication
}
postIndex := iNdEx + msglen
if postIndex < 0 {
return ErrInvalidLengthRequestAuthentication
}
if postIndex > l {
return io.ErrUnexpectedEOF
}
m.JwtRules = append(m.JwtRules, &JWTRule{})
if err := m.JwtRules[len(m.JwtRules)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
return err
}
iNdEx = postIndex
default:
iNdEx = preIndex
skippy, err := skipRequestAuthentication(dAtA[iNdEx:])
if err != nil {
return err
}
if skippy < 0 {
return ErrInvalidLengthRequestAuthentication
}
if (iNdEx + skippy) < 0 {
return ErrInvalidLengthRequestAuthentication
}
if (iNdEx + skippy) > l {
return io.ErrUnexpectedEOF
}
m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
iNdEx += skippy
}
}
if iNdEx > l {
return io.ErrUnexpectedEOF
}
return nil
}
func skipRequestAuthentication(dAtA []byte) (n int, err error) {
l := len(dAtA)
iNdEx := 0
for iNdEx < l {
var wire uint64
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return 0, ErrIntOverflowRequestAuthentication
}
if iNdEx >= l {
return 0, io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
wire |= (uint64(b) & 0x7F) << shift
if b < 0x80 {
break
}
}
wireType := int(wire & 0x7)
switch wireType {
case 0:
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return 0, ErrIntOverflowRequestAuthentication
}
if iNdEx >= l {
return 0, io.ErrUnexpectedEOF
}
iNdEx++
if dAtA[iNdEx-1] < 0x80 {
break
}
}
return iNdEx, nil
case 1:
iNdEx += 8
return iNdEx, nil
case 2:
var length int
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return 0, ErrIntOverflowRequestAuthentication
}
if iNdEx >= l {
return 0, io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
length |= (int(b) & 0x7F) << shift
if b < 0x80 {
break
}
}
if length < 0 {
return 0, ErrInvalidLengthRequestAuthentication
}
iNdEx += length
if iNdEx < 0 {
return 0, ErrInvalidLengthRequestAuthentication
}
return iNdEx, nil
case 3:
for {
var innerWire uint64
var start int = iNdEx
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return 0, ErrIntOverflowRequestAuthentication
}
if iNdEx >= l {
return 0, io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
innerWire |= (uint64(b) & 0x7F) << shift
if b < 0x80 {
break
}
}
innerWireType := int(innerWire & 0x7)
if innerWireType == 4 {
break
}
next, err := skipRequestAuthentication(dAtA[start:])
if err != nil {
return 0, err
}
iNdEx = start + next
if iNdEx < 0 {
return 0, ErrInvalidLengthRequestAuthentication
}
}
return iNdEx, nil
case 4:
return iNdEx, nil
case 5:
iNdEx += 4
return iNdEx, nil
default:
return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
}
}
panic("unreachable")
}
var (
ErrInvalidLengthRequestAuthentication = fmt.Errorf("proto: negative length found during unmarshaling")
ErrIntOverflowRequestAuthentication = fmt.Errorf("proto: integer overflow")
)

157
vendor/istio.io/api/security/v1beta1/request_authentication.pb.html generated vendored Normal file
View File

@@ -0,0 +1,157 @@
---
title: RequestAuthentication
description: Request authentication configuration for workloads.
location: https://istio.io/docs/reference/config/security/request_authentication.html
layout: protoc-gen-docs
generator: protoc-gen-docs
schema: istio.security.v1beta1.RequestAuthentication
aliases: [/docs/reference/config/security/v1beta1/request_authentication]
number_of_entries: 1
---
<h2 id="RequestAuthentication">RequestAuthentication</h2>
<section>
<p>RequestAuthentication defines what request authentication methods are supported by a workload.
If will reject a request if the request contains invalid authentication information, based on the
configured authentication rules. A request that does not contain any authentication credentials
will be accepted but will not have any authenticated identity. To restrict access to authenticated
requests only, this should be accompanied by an authorization rule.
Examples:</p>
<ul>
<li>Require JWT for all request for workloads that have label <code>app:httpbin</code></li>
</ul>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
jwtRules:
- issuer: &quot;issuer-foo&quot;
jwksUri: https://example.com/.well-known/jwks.json
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
rules:
- from:
- source:
requestPrincipals: [&quot;*&quot;]
</code></pre>
<ul>
<li>The next example shows how to set a different JWT requirement for a different <code>host</code>. The <code>RequestAuthentication</code>
declares it can accpet JWTs issuer by either <code>issuer-foo</code> or <code>issuer-bar</code> (the public key set is implicitly
set from the OpenID Connect spec).</li>
</ul>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
jwtRules:
- issuer: &quot;issuer-foo&quot;
- issuer: &quot;issuer-bar&quot;
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
rules:
- from:
- source:
requestPrincipals: [&quot;issuer-foo/*&quot;]
to:
hosts: [&quot;example.com&quot;]
- from:
- source:
requestPrincipals: [&quot;issuer-bar/*&quot;]
to:
hosts: [&quot;another-host.com&quot;]
</code></pre>
<ul>
<li>You can fine tune the authorization policy to set different requirement per path. For example,
to require JWT on all paths, except /healthz, the same <code>RequestAuthentication</code> can be used, but the
authorization policy could be:</li>
</ul>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
rules:
- from:
- source:
requestPrincipals: [&quot;*&quot;]
- to:
- operation:
paths: [&quot;/healthz]
</code></pre>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="RequestAuthentication-selector">
<td><code>selector</code></td>
<td><code><a href="https://istio.io/latest/docs/reference/config/networking/sidecar/#WorkloadSelector">WorkloadSelector</a></code></td>
<td>
<p>The selector determines the workloads to apply the RequestAuthentication on.
If not set, the policy will be applied to all workloads in the same namespace as the policy.</p>
</td>
<td>
No
</td>
</tr>
<tr id="RequestAuthentication-jwt_rules">
<td><code>jwtRules</code></td>
<td><code><a href="https://istio.io/docs/reference/config/security/jwt.html#JWTRule">JWTRule[]</a></code></td>
<td>
<p>Define the list of JWTs that can be validated at the selected workloads&rsquo; proxy. A valid token
will be used to extract the authenticated identity.
Each rule will be activated only when a token is presented at the location recorgnized by the
rule. The token will be validated based on the JWT rule config. If validation fails, the request will
be rejected.
Note: if more than one token is presented (at different locations), the output principal is nondeterministic.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>

160
vendor/istio.io/api/security/v1beta1/request_authentication.proto generated vendored Normal file
View File

@@ -0,0 +1,160 @@
// Copyright 2019 Istio Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = "proto3";
import "type/v1beta1/selector.proto";
import "security/v1beta1/jwt.proto";
// $schema: istio.security.v1beta1.RequestAuthentication
// $title: RequestAuthentication
// $description: Request authentication configuration for workloads.
// $location: https://istio.io/docs/reference/config/security/request_authentication.html
// $aliases: [/docs/reference/config/security/v1beta1/request_authentication]
package istio.security.v1beta1;
option go_package="istio.io/api/security/v1beta1";
// RequestAuthentication defines what request authentication methods are supported by a workload.
// If will reject a request if the request contains invalid authentication information, based on the
// configured authentication rules. A request that does not contain any authentication credentials
// will be accepted but will not have any authenticated identity. To restrict access to authenticated
// requests only, this should be accompanied by an authorization rule.
// Examples:
//
// - Require JWT for all request for workloads that have label `app:httpbin`
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: RequestAuthentication
// metadata:
// name: httpbin
// namespace: foo
// spec:
// selector:
// matchLabels:
// app: httpbin
// jwtRules:
// - issuer: "issuer-foo"
// jwksUri: https://example.com/.well-known/jwks.json
// ---
// apiVersion: security.istio.io/v1beta1
// kind: AuthorizationPolicy
// metadata:
// name: httpbin
// namespace: foo
// spec:
// selector:
// matchLabels:
// app: httpbin
// rules:
// - from:
// - source:
// requestPrincipals: ["*"]
// ```
//
// - The next example shows how to set a different JWT requirement for a different `host`. The `RequestAuthentication`
// declares it can accpet JWTs issuer by either `issuer-foo` or `issuer-bar` (the public key set is implicitly
// set from the OpenID Connect spec).
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: RequestAuthentication
// metadata:
// name: httpbin
// namespace: foo
// spec:
// selector:
// matchLabels:
// app: httpbin
// jwtRules:
// - issuer: "issuer-foo"
// - issuer: "issuer-bar"
// ---
// apiVersion: security.istio.io/v1beta1
// kind: AuthorizationPolicy
// metadata:
// name: httpbin
// namespace: foo
// spec:
// selector:
// matchLabels:
// app: httpbin
// rules:
// - from:
// - source:
// requestPrincipals: ["issuer-foo/*"]
// to:
// hosts: ["example.com"]
// - from:
// - source:
// requestPrincipals: ["issuer-bar/*"]
// to:
// hosts: ["another-host.com"]
// ```
//
// - You can fine tune the authorization policy to set different requirement per path. For example,
// to require JWT on all paths, except /healthz, the same `RequestAuthentication` can be used, but the
// authorization policy could be:
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: AuthorizationPolicy
// metadata:
// name: httpbin
// namespace: foo
// spec:
// selector:
// matchLabels:
// app: httpbin
// rules:
// - from:
// - source:
// requestPrincipals: ["*"]
// - to:
// - operation:
// paths: ["/healthz]
// ```
//
// <!-- crd generation tags
// +cue-gen:RequestAuthentication:groupName:security.istio.io
// +cue-gen:RequestAuthentication:version:v1beta1
// +cue-gen:RequestAuthentication:storageVersion
// +cue-gen:RequestAuthentication:annotations:helm.sh/resource-policy=keep
// +cue-gen:RequestAuthentication:labels:app=istio-pilot,chart=istio,istio=security,heritage=Tiller,release=istio
// +cue-gen:RequestAuthentication:subresource:status
// +cue-gen:RequestAuthentication:scope:Namespaced
// +cue-gen:RequestAuthentication:resource:categories=istio-io,security-istio-io,shortNames=ra
// +cue-gen:RequestAuthentication:preserveUnknownFields:false
// -->
//
// <!-- go code generation tags
// +kubetype-gen
// +kubetype-gen:groupVersion=security.istio.io/v1beta1
// +genclient
// +k8s:deepcopy-gen=true
// -->
message RequestAuthentication {
// The selector determines the workloads to apply the RequestAuthentication on.
// If not set, the policy will be applied to all workloads in the same namespace as the policy.
istio.type.v1beta1.WorkloadSelector selector = 1;
// Define the list of JWTs that can be validated at the selected workloads' proxy. A valid token
// will be used to extract the authenticated identity.
// Each rule will be activated only when a token is presented at the location recorgnized by the
// rule. The token will be validated based on the JWT rule config. If validation fails, the request will
// be rejected.
// Note: if more than one token is presented (at different locations), the output principal is nondeterministic.
repeated JWTRule jwt_rules = 2;
}

22
vendor/istio.io/api/security/v1beta1/request_authentication_deepcopy.gen.go generated vendored Normal file
View File

@@ -0,0 +1,22 @@
// Code generated by protoc-gen-gogo. DO NOT EDIT.
// source: security/v1beta1/request_authentication.proto
package v1beta1
import (
fmt "fmt"
proto "github.com/gogo/protobuf/proto"
_ "istio.io/api/type/v1beta1"
math "math"
)
// Reference imports to suppress errors if they are not otherwise used.
var _ = proto.Marshal
var _ = fmt.Errorf
var _ = math.Inf
// DeepCopyInto supports using RequestAuthentication within kubernetes types, where deepcopy-gen is used.
func (in *RequestAuthentication) DeepCopyInto(out *RequestAuthentication) {
p := proto.Clone(in).(*RequestAuthentication)
*out = *p
}

34
vendor/istio.io/api/security/v1beta1/request_authentication_json.gen.go generated vendored Normal file
View File

@@ -0,0 +1,34 @@
// Code generated by protoc-gen-gogo. DO NOT EDIT.
// source: security/v1beta1/request_authentication.proto
package v1beta1
import (
bytes "bytes"
fmt "fmt"
github_com_gogo_protobuf_jsonpb "github.com/gogo/protobuf/jsonpb"
proto "github.com/gogo/protobuf/proto"
_ "istio.io/api/type/v1beta1"
math "math"
)
// Reference imports to suppress errors if they are not otherwise used.
var _ = proto.Marshal
var _ = fmt.Errorf
var _ = math.Inf
// MarshalJSON is a custom marshaler for RequestAuthentication
func (this *RequestAuthentication) MarshalJSON() ([]byte, error) {
str, err := RequestAuthenticationMarshaler.MarshalToString(this)
return []byte(str), err
}
// UnmarshalJSON is a custom unmarshaler for RequestAuthentication
func (this *RequestAuthentication) UnmarshalJSON(b []byte) error {
return RequestAuthenticationUnmarshaler.Unmarshal(bytes.NewReader(b), this)
}
var (
RequestAuthenticationMarshaler = &github_com_gogo_protobuf_jsonpb.Marshaler{}
RequestAuthenticationUnmarshaler = &github_com_gogo_protobuf_jsonpb.Unmarshaler{}
)