hongming
154
vendor/istio.io/api/security/v1beta1/peer_authentication.proto
generated
vendored
Normal file
154
vendor/istio.io/api/security/v1beta1/peer_authentication.proto
generated
vendored
Normal file
@@ -0,0 +1,154 @@
|
||||
// Copyright 2020 Istio Authors
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
syntax = "proto3";
|
||||
|
||||
import "type/v1beta1/selector.proto";
|
||||
|
||||
// $schema: istio.security.v1beta1.PeerAuthentication
|
||||
// $title: PeerAuthentication
|
||||
// $description: Peer authentication configuration for workloads.
|
||||
// $location: https://istio.io/docs/reference/config/security/peer_authentication.html
|
||||
// $aliases: [/docs/reference/config/security/v1beta1/peer_authentication]
|
||||
|
||||
package istio.security.v1beta1;
|
||||
|
||||
option go_package="istio.io/api/security/v1beta1";
|
||||
|
||||
// PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar.
|
||||
//
|
||||
// Examples:
|
||||
//
|
||||
// Policy to allow mTLS traffic for all workloads under namespace `foo`:
|
||||
// ```yaml
|
||||
// apiVersion: security.istio.io/v1beta1
|
||||
// kind: PeerAuthentication
|
||||
// metadata:
|
||||
// name: default
|
||||
// namespace: foo
|
||||
// spec:
|
||||
// mtls:
|
||||
// mode: STRICT
|
||||
// ```
|
||||
// For mesh level, put the policy in root-namespace according to your Istio installation.
|
||||
//
|
||||
// Policies to allow both mTLS & plaintext traffic for all workloads under namespace `foo`, but
|
||||
// require mTLS for workload `finance`.
|
||||
// ```yaml
|
||||
// apiVersion: security.istio.io/v1beta1
|
||||
// kind: PeerAuthentication
|
||||
// metadata:
|
||||
// name: default
|
||||
// namespace: foo
|
||||
// spec:
|
||||
// mtls:
|
||||
// mode: PERMISSIVE
|
||||
// ---
|
||||
// apiVersion: security.istio.io/v1beta1
|
||||
// kind: PeerAuthentication
|
||||
// metadata:
|
||||
// name: default
|
||||
// namespace: foo
|
||||
// spec:
|
||||
// selector:
|
||||
// matchLabels:
|
||||
// app: finance
|
||||
// mtls:
|
||||
// mode: STRICT
|
||||
// ```
|
||||
// Policy to allow mTLS strict for all workloads, but leave port 8080 to
|
||||
// plaintext:
|
||||
// ```yaml
|
||||
// apiVersion: security.istio.io/v1beta1
|
||||
// kind: PeerAuthentication
|
||||
// metadata:
|
||||
// name: default
|
||||
// namespace: foo
|
||||
// spec:
|
||||
// selector:
|
||||
// matchLabels:
|
||||
// app: finance
|
||||
// mtls:
|
||||
// mode: STRICT
|
||||
// portLevelMtls:
|
||||
// 8080:
|
||||
// mode: DISABLE
|
||||
// ```
|
||||
// Policy to inherite mTLS mode from namespace (or mesh) settings, and overwrite
|
||||
// settings for port 8080
|
||||
// ```yaml
|
||||
// apiVersion: security.istio.io/v1beta1
|
||||
// kind: PeerAuthentication
|
||||
// metadata:
|
||||
// name: default
|
||||
// namespace: foo
|
||||
// spec:
|
||||
// selector:
|
||||
// matchLabels:
|
||||
// app: finance
|
||||
// mtls:
|
||||
// mode: UNSET
|
||||
// portLevelMtls:
|
||||
// 8080:
|
||||
// mode: DISABLE
|
||||
// ```
|
||||
//
|
||||
// <!-- crd generation tags
|
||||
// +cue-gen:PeerAuthentication:groupName:security.istio.io
|
||||
// +cue-gen:PeerAuthentication:version:v1beta1
|
||||
// +cue-gen:PeerAuthentication:storageVersion
|
||||
// +cue-gen:PeerAuthentication:annotations:helm.sh/resource-policy=keep
|
||||
// +cue-gen:PeerAuthentication:labels:app=istio-pilot,chart=istio,istio=security,heritage=Tiller,release=istio
|
||||
// +cue-gen:PeerAuthentication:subresource:status
|
||||
// +cue-gen:PeerAuthentication:scope:Namespaced
|
||||
// +cue-gen:PeerAuthentication:resource:categories=istio-io,security-istio-io,shortNames=pa
|
||||
// +cue-gen:PeerAuthentication:preserveUnknownFields:false
|
||||
// -->
|
||||
//
|
||||
// <!-- go code generation tags
|
||||
// +kubetype-gen
|
||||
// +kubetype-gen:groupVersion=security.istio.io/v1beta1
|
||||
// +genclient
|
||||
// +k8s:deepcopy-gen=true
|
||||
// -->
|
||||
message PeerAuthentication {
|
||||
// The selector determines the workloads to apply the ChannelAuthentication on.
|
||||
// If not set, the policy will be applied to all workloads in the same namespace as the policy.
|
||||
istio.type.v1beta1.WorkloadSelector selector = 1;
|
||||
|
||||
// Mutual TLS settings.
|
||||
message MutualTLS {
|
||||
enum Mode {
|
||||
// Inherit from parent, if has one. Otherwise treated as PERMISSIVE.
|
||||
UNSET = 0;
|
||||
|
||||
// Connection is not tunneled.
|
||||
DISABLE = 1;
|
||||
|
||||
// Connection can be either plaintext or mTLS tunnel.
|
||||
PERMISSIVE = 2;
|
||||
|
||||
// Connection is an mTLS tunnel (TLS with client cert must be presented).
|
||||
STRICT = 3;
|
||||
}
|
||||
|
||||
// Defines the mTLS mode used for peer authentication.
|
||||
Mode mode = 1;
|
||||
}
|
||||
|
||||
// Mutual TLS settings for workload. If not defined, inherit from parent.
|
||||
MutualTLS mtls = 2;
|
||||
|
||||
// Port specific mutual TLS settings.
|
||||
map<uint32, MutualTLS> port_level_mtls = 3;
|
||||
}
|
||||
Reference in New Issue
Block a user