// Copyright 2019 Istio Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. syntax = "proto3"; import "google/api/field_behavior.proto"; import "type/v1beta1/selector.proto"; // $title: Authorization Policy // $description: Configuration for access control on workloads. // $location: https://istio.io/docs/reference/config/security/authorization-policy.html // $weight: 20 // $aliases: [/docs/reference/config/authorization/authorization-policy.html] // Istio Authorization Policy enables access control on workloads in the mesh. // // For example, the following authorization policy applies to workloads matched with // label selector "app: httpbin, version: v1". // // It allows requests from: // - service account "cluster.local/ns/default/sa/sleep" or // - namespace "test" // to access the workload with: // - "GET" method at paths of prefix "/info" or, // - "POST" method at path "/data". // when the request has a valid JWT token issued by "https://accounts.google.com". // // Any other requests will be rejected. // // ```yaml // apiVersion: security.istio.io/v1beta1 // kind: AuthorizationPolicy // metadata: // name: httpbin // namespace: foo // spec: // selector: // matchLabels: // app: httpbin // version: v1 // rules: // - from: // - source: // principals: ["cluster.local/ns/default/sa/sleep"] // - source: // namespaces: ["test"] // to: // - operation: // methods: ["GET"] // paths: ["/info*"] // - operation: // methods: ["POST"] // paths: ["/data"] // when: // - key: request.auth.claims[iss] // values: ["https://accounts.google.com"] // ``` // // Access control is enabled on a workload if there is any authorization policies selecting // the workload. When access control is enabled, the default behavior is deny (deny-by-default) // which means requests to the workload will be rejected if the request is not allowed by any of // the authorization policies selecting the workload. // // Currently AuthorizationPolicy only supports "ALLOW" action. This means that // if multiple authorization policies apply to the same workload, the effect is additive. // // Authorization Policy scope (target) is determined by "metadata/namespace" and // an optional "selector". // - "metadata/namespace" tells which namespace the policy applies. If set to root // namespace, the policy applies to all namespaces in a mesh. // - workload "selector" can be used to further restrict where a policy applies. // // For example, // // The following authorization policy applies to workloads containing label // "app: httpbin" in namespace bar. // // ```yaml // apiVersion: security.istio.io/v1beta1 // kind: AuthorizationPolicy // metadata: // name: policy // namespace: bar // spec: // selector: // matchLabels: // app: httpbin // ``` // // The following authorization policy applies to all workloads in namespace foo. // // ```yaml // apiVersion: security.istio.io/v1beta1 // kind: AuthorizationPolicy // metadata: // name: policy // namespace: foo // spec: // ``` // // The following authorization policy applies to workloads containing label // "version: v1" in all namespaces in the mesh. (Assuming the root namespace is // configured to "istio-config"). // // ```yaml // apiVersion: security.istio.io/v1beta1 // kind: AuthorizationPolicy // metadata: // name: policy // namespace: istio-config // spec: // selector: // matchLabels: // version: v1 // ``` package istio.security.v1beta1; option go_package="istio.io/api/security/v1beta1"; // AuthorizationPolicy enables access control on workloads. // // For example, the following authorization policy denies all requests to workloads // in namespace foo. // // ```yaml // apiVersion: security.istio.io/v1beta1 // kind: AuthorizationPolicy // metadata: // name: deny-all // namespace: foo // spec: // ``` // // The following authorization policy allows all requests to workloads in namespace // foo. // // ```yaml // apiVersion: security.istio.io/v1beta1 // kind: AuthorizationPolicy // metadata: // name: allow-all // namespace: foo // spec: // rules: // - {} // ``` // // message AuthorizationPolicy { // Optional. Workload selector decides where to apply the authorization policy. // If not set, the authorization policy will be applied to all workloads in the // same namespace as the authorization policy. istio.type.v1beta1.WorkloadSelector selector = 1; // Optional. A list of rules to specify the allowed access to the workload. // // If not set, access is denied unless explicitly allowed by other authorization policy. repeated Rule rules = 2; } // Rule allows access from a list of sources to perform a list of operations when // the condition is matched. // // Any string field in the rule supports Exact, Prefix, Suffix and Presence match: // - Exact match: "abc" will match on value "abc". // - Prefix match: "abc*" will match on value "abc" and "abcd". // - Suffix match: "*abc" will match on value "abc" and "xabc". // - Presence match: "*" will match when value is not empty. message Rule { // From includes a list or sources. message From { // Source specifies the source of a request. Source source = 1; } // Optional. from specifies the source of a request. // // If not set, any source is allowed. repeated From from = 1; // To includes a list or operations. message To { // Operation specifies the operation of a request. Operation operation = 1; } // Optional. to specifies the operation of a request. // // If not set, any operation is allowed. repeated To to = 2; // Optional. when specifies a list of additional conditions of a request. // // If not set, any condition is allowed. repeated Condition when = 3; } // Source specifies the source identities of a request. message Source { // Optional. A list of source peer identities (i.e. service account), which // matches to the "source.principal" attribute. // // If not set, any principal is allowed. repeated string principals = 1; // Optional. A list of request identities (i.e. "iss/sub" claims), which // matches to the "request.auth.principal" attribute. // // If not set, any request principal is allowed. repeated string request_principals = 2; // Optional. A list of namespaces, which matches to the "source.namespace" // attribute. // // If not set, any namespace is allowed. repeated string namespaces = 3; // Optional. A list of IP blocks, which matches to the "source.ip" attribute. // Single IP (e.g. "1.2.3.4") and CIDR (e.g. "1.2.3.0/24") are supported. // // If not set, any IP is allowed. repeated string ip_blocks = 4; } // Operation specifies the operations of a request. message Operation { // Optional. A list of hosts, which matches to the "request.host" attribute. // // If not set, any host is allowed. Must be used only with HTTP. repeated string hosts = 1; // Optional. A list of ports, which matches to the "destination.port" attribute. // // If not set, any port is allowed. repeated string ports = 2; // Optional. A list of methods, which matches to the "request.method" attribute. // For gRPC service, this should be the fully-qualified name in the form of // "/package.service/method" // // If not set, any method is allowed. Must be used only with HTTP or gRPC. repeated string methods = 3; // Optional. A list of paths, which matches to the "request.url_path" attribute. // // If not set, any path is allowed. Must be used only with HTTP. repeated string paths = 4; } // Condition specifies additional required attributes. message Condition { // The name of an Istio attribute. // See the [full list of supported attributes](https://istio.io/docs/reference/config/). string key = 1 [(google.api.field_behavior) = REQUIRED]; // The allowed values for the attribute. repeated string values = 2 [(google.api.field_behavior) = REQUIRED]; }