update dependencies

Signed-off-by: hongming <talonwan@yunify.com>
2020-12-22 16:48:26 +08:00
parent 4a11a50544
commit fe6c5de00f
2857 changed files with 252134 additions and 115656 deletions
--- a/vendor/istio.io/api/security/v1beta1/authorization.proto
+++ b/vendor/istio.io/api/security/v1beta1/authorization.proto
@@ -16,26 +16,41 @@ syntax = "proto3";
 import "google/api/field_behavior.proto";
 import "type/v1beta1/selector.proto";

+// $schema: istio.security.v1beta1.AuthorizationPolicy
 // $title: Authorization Policy
 // $description: Configuration for access control on workloads.
 // $location: https://istio.io/docs/reference/config/security/authorization-policy.html
 // $weight: 20
-// $aliases: [/docs/reference/config/authorization/authorization-policy.html]
+// $aliases: [/docs/reference/config/authorization/authorization-policy]

 // Istio Authorization Policy enables access control on workloads in the mesh.
 //
-// For example, the following authorization policy applies to workloads matched with
-// label selector "app: httpbin, version: v1".
+// Authorization policy supports both allow and deny policies. When allow and
+// deny policies are used for a workload at the same time, the deny policies are
+// evaluated first. The evaluation is determined by the following rules:
+//
+// 1. If there are any DENY policies that match the request, deny the request.
+// 2. If there are no ALLOW policies for the workload, allow the request.
+// 3. If any of the ALLOW policies match the request, allow the request.
+// 4. Deny the request.
+//
+// For example, the following authorization policy sets the `action` to "ALLOW"
+// to create an allow policy. The default action is "ALLOW" but it is useful
+// to be explicit in the policy.
 //
 // It allows requests from:
+//
 // - service account "cluster.local/ns/default/sa/sleep" or
 // - namespace "test"
+//
 // to access the workload with:
+//
 // - "GET" method at paths of prefix "/info" or,
 // - "POST" method at path "/data".
+//
 // when the request has a valid JWT token issued by "https://accounts.google.com".
 //
-// Any other requests will be rejected.
+// Any other requests will be denied.
 //
 // ```yaml
 // apiVersion: security.istio.io/v1beta1
@@ -44,10 +59,7 @@ import "type/v1beta1/selector.proto";
 //  name: httpbin
 //  namespace: foo
 // spec:
-//  selector:
-//    matchLabels:
-//      app: httpbin
-//      version: v1
+//  action: ALLOW
 //  rules:
 //  - from:
 //    - source:
@@ -66,16 +78,30 @@ import "type/v1beta1/selector.proto";
 //      values: ["https://accounts.google.com"]
 // ```
 //
-// Access control is enabled on a workload if there is any authorization policies selecting
-// the workload. When access control is enabled, the default behavior is deny (deny-by-default)
-// which means requests to the workload will be rejected if the request is not allowed by any of
-// the authorization policies selecting the workload.
+// The following is another example that sets `action` to "DENY" to create a deny policy.
+// It denies requests from the "dev" namespace to the "POST" method on all workloads
+// in the "foo" namespace.
 //
-// Currently AuthorizationPolicy only supports "ALLOW" action. This means that
-// if multiple authorization policies apply to the same workload, the effect is additive.
+// ```yaml
+// apiVersion: security.istio.io/v1beta1
+// kind: AuthorizationPolicy
+// metadata:
+//  name: httpbin
+//  namespace: foo
+// spec:
+//  action: DENY
+//  rules:
+//  - from:
+//    - source:
+//        namespaces: ["dev"]
+//    to:
+//    - operation:
+//        methods: ["POST"]
+// ```
 //
 // Authorization Policy scope (target) is determined by "metadata/namespace" and
 // an optional "selector".
+//
 // - "metadata/namespace" tells which namespace the policy applies. If set to root
 // namespace, the policy applies to all namespaces in a mesh.
 // - workload "selector" can be used to further restrict where a policy applies.
@@ -106,6 +132,7 @@ import "type/v1beta1/selector.proto";
 //  name: policy
 //  namespace: foo
 // spec:
+//   {}
 // ```
 //
 // The following authorization policy applies to workloads containing label
@@ -139,6 +166,7 @@ option go_package="istio.io/api/security/v1beta1";
 //  name: deny-all
 //  namespace: foo
 // spec:
+//   {}
 // ```
 //
 // The following authorization policy allows all requests to workloads in namespace
@@ -155,6 +183,18 @@ option go_package="istio.io/api/security/v1beta1";
 //  - {}
 // ```
 //
+// <!-- crd generation tags
+// +cue-gen:AuthorizationPolicy:groupName:security.istio.io
+// +cue-gen:AuthorizationPolicy:version:v1beta1
+// +cue-gen:AuthorizationPolicy:storageVersion
+// +cue-gen:AuthorizationPolicy:annotations:helm.sh/resource-policy=keep
+// +cue-gen:AuthorizationPolicy:labels:app=istio-pilot,chart=istio,istio=security,heritage=Tiller,release=istio
+// +cue-gen:AuthorizationPolicy:subresource:status
+// +cue-gen:AuthorizationPolicy:scope:Namespaced
+// +cue-gen:AuthorizationPolicy:resource:categories=istio-io,security-istio-io,plural=authorizationpolicies
+// +cue-gen:AuthorizationPolicy:preserveUnknownFields:false
+// -->
+//
 // <!-- go code generation tags
 // +kubetype-gen
 // +kubetype-gen:groupVersion=security.istio.io/v1beta1
@@ -167,16 +207,32 @@ message AuthorizationPolicy {
  // same namespace as the authorization policy.
  istio.type.v1beta1.WorkloadSelector selector = 1;

-  // Optional. A list of rules to specify the allowed access to the workload.
+  // Optional. A list of rules to match the request. A match occurs when at least
+  // one rule matches the request.
  //
-  // If not set, access is denied unless explicitly allowed by other authorization policy.
+  // If not set, the match will never occur. This is equivalent to setting a
+  // default of deny for the target workloads.
  repeated Rule rules = 2;
+
+  // Action specifies the operation to take.
+  enum Action {
+    // Allow a request only if it matches the rules. This is the default type.
+    ALLOW = 0;
+
+    // Deny a request if it matches any of the rules.
+    DENY = 1;
+  }
+
+  // Optional. The action to take if the request is matched with the rules.
+  Action action = 3;
 }

-// Rule allows access from a list of sources to perform a list of operations when
-// the condition is matched.
+// Rule matches requests from a list of sources that perform a list of operations subject to a
+// list of conditions. A match occurs when at least one source, operation and condition
+// matches the request. An empty rule is always matched.
 //
 // Any string field in the rule supports Exact, Prefix, Suffix and Presence match:
+//
 // - Exact match: "abc" will match on value "abc".
 // - Prefix match: "abc*" will match on value "abc" and "abcd".
 // - Suffix match: "*abc" will match on value "abc" and "xabc".
@@ -210,64 +266,114 @@ message Rule {
  repeated Condition when = 3;
 }

-// Source specifies the source identities of a request.
+// Source specifies the source identities of a request. Fields in the source are
+// ANDed together.
+//
+// For example, the following source matches if the principal is "admin" or "dev"
+// and the namespace is "prod" or "test" and the ip is not "1.2.3.4".
+//
+// ```yaml
+// principals: ["admin", "dev"]
+// namespaces: ["prod", "test"]
+// not_ipblocks: ["1.2.3.4"]
+// ```
 message Source {
  // Optional. A list of source peer identities (i.e. service account), which
-  // matches to the "source.principal" attribute.
+  // matches to the "source.principal" attribute. This field requires mTLS enabled.
  //
  // If not set, any principal is allowed.
  repeated string principals = 1;

+  // Optional. A list of negative match of source peer identities.
+  repeated string not_principals = 5;
+
  // Optional. A list of request identities (i.e. "iss/sub" claims), which
  // matches to the "request.auth.principal" attribute.
  //
  // If not set, any request principal is allowed.
  repeated string request_principals = 2;

+  // Optional. A list of negative match of request identities.
+  repeated string not_request_principals = 6;
+
  // Optional. A list of namespaces, which matches to the "source.namespace"
-  // attribute.
+  // attribute. This field requires mTLS enabled.
  //
  // If not set, any namespace is allowed.
  repeated string namespaces = 3;

+  // Optional. A list of negative match of namespaces.
+  repeated string not_namespaces = 7;
+
  // Optional. A list of IP blocks, which matches to the "source.ip" attribute.
  // Single IP (e.g. "1.2.3.4") and CIDR (e.g. "1.2.3.0/24") are supported.
  //
  // If not set, any IP is allowed.
  repeated string ip_blocks = 4;
+
+  // Optional. A list of negative match of IP blocks.
+  repeated string not_ip_blocks = 8;
 }

-// Operation specifies the operations of a request.
+// Operation specifies the operations of a request. Fields in the operation are
+// ANDed together.
+//
+// For example, the following operation matches if the host has suffix ".example.com"
+// and the method is "GET" or "HEAD" and the path doesn't have prefix "/admin".
+//
+// ```yaml
+// hosts: ["*.example.com"]
+// methods: ["GET", "HEAD"]
+// not_paths: ["/admin*"]
+// ```
 message Operation {
  // Optional. A list of hosts, which matches to the "request.host" attribute.
  //
  // If not set, any host is allowed. Must be used only with HTTP.
  repeated string hosts = 1;

+  // Optional. A list of negative match of hosts.
+  repeated string not_hosts = 5;
+
  // Optional. A list of ports, which matches to the "destination.port" attribute.
  //
  // If not set, any port is allowed.
  repeated string ports = 2;

+  // Optional. A list of negative match of ports.
+  repeated string not_ports = 6;
+
  // Optional. A list of methods, which matches to the "request.method" attribute.
-  // For gRPC service, this should be the fully-qualified name in the form of
-  // "/package.service/method"
+  // For gRPC service, this will always be "POST".
  //
-  // If not set, any method is allowed. Must be used only with HTTP or gRPC.
+  // If not set, any method is allowed. Must be used only with HTTP.
  repeated string methods = 3;

+  // Optional. A list of negative match of methods.
+  repeated string not_methods = 7;
+
  // Optional. A list of paths, which matches to the "request.url_path" attribute.
+  // For gRPC service, this will be the fully-qualified name in the form of
+  // "/package.service/method".
  //
  // If not set, any path is allowed. Must be used only with HTTP.
  repeated string paths = 4;
+
+  // Optional. A list of negative match of paths.
+  repeated string not_paths = 8;
 }

 // Condition specifies additional required attributes.
 message Condition {
  // The name of an Istio attribute.
-  // See the [full list of supported attributes](https://istio.io/docs/reference/config/).
+  // See the [full list of supported attributes](https://istio.io/docs/reference/config/security/conditions/).
  string key = 1 [(google.api.field_behavior) = REQUIRED];

-  // The allowed values for the attribute.
-  repeated string values = 2 [(google.api.field_behavior) = REQUIRED];
+  // Optional. A list of allowed values for the attribute.
+  // Note: at least one of values or not_values must be set.
+  repeated string values = 2;
+
+  // Optional. A list of negative match of values for the attribute.
+  // Note: at least one of values or not_values must be set.
+  repeated string not_values = 3;
 }