{ "openapi": "3.0.0", "info": { "title": "Configuration for access control on workloads.", "version": "v1beta1" }, "components": { "schemas": { "istio.security.v1beta1.AuthorizationPolicy": { "description": "AuthorizationPolicy enables access control on workloads.", "type": "object", "properties": { "selector": { "$ref": "#/components/schemas/istio.type.v1beta1.WorkloadSelector" }, "rules": { "description": "Optional. A list of rules to match the request. A match occurs when at least one rule matches the request.", "type": "array", "items": { "$ref": "#/components/schemas/istio.security.v1beta1.Rule" } }, "action": { "$ref": "#/components/schemas/istio.security.v1beta1.AuthorizationPolicy.Action" } } }, "istio.security.v1beta1.Rule": { "description": "Rule matches requests from a list of sources that perform a list of operations subject to a list of conditions. A match occurs when at least one source, operation and condition matches the request. An empty rule is always matched.", "type": "object", "properties": { "from": { "description": "Optional. from specifies the source of a request.", "type": "array", "items": { "$ref": "#/components/schemas/istio.security.v1beta1.Rule.From" } }, "to": { "description": "Optional. to specifies the operation of a request.", "type": "array", "items": { "$ref": "#/components/schemas/istio.security.v1beta1.Rule.To" } }, "when": { "description": "Optional. when specifies a list of additional conditions of a request.", "type": "array", "items": { "$ref": "#/components/schemas/istio.security.v1beta1.Condition" } } } }, "istio.security.v1beta1.AuthorizationPolicy.Action": { "description": "Action specifies the operation to take.", "type": "string", "enum": [ "ALLOW", "DENY" ] }, "istio.security.v1beta1.Rule.From": { "description": "From includes a list or sources.", "type": "object", "properties": { "source": { "$ref": "#/components/schemas/istio.security.v1beta1.Source" } } }, "istio.security.v1beta1.Rule.To": { "description": "To includes a list or operations.", "type": "object", "properties": { "operation": { "$ref": "#/components/schemas/istio.security.v1beta1.Operation" } } }, "istio.security.v1beta1.Condition": { "description": "Condition specifies additional required attributes.", "type": "object", "properties": { "key": { "description": "The name of an Istio attribute. See the [full list of supported attributes](https://istio.io/docs/reference/config/security/conditions/).", "type": "string", "format": "string" }, "values": { "description": "Optional. A list of allowed values for the attribute. Note: at least one of values or not_values must be set.", "type": "array", "items": { "type": "string", "format": "string" } }, "notValues": { "description": "Optional. A list of negative match of values for the attribute. Note: at least one of values or not_values must be set.", "type": "array", "items": { "type": "string", "format": "string" } } } }, "istio.security.v1beta1.Source": { "description": "Source specifies the source identities of a request. Fields in the source are ANDed together.", "type": "object", "properties": { "principals": { "description": "Optional. A list of source peer identities (i.e. service account), which matches to the \"source.principal\" attribute. This field requires mTLS enabled.", "type": "array", "items": { "type": "string", "format": "string" } }, "notPrincipals": { "description": "Optional. A list of negative match of source peer identities.", "type": "array", "items": { "type": "string", "format": "string" } }, "requestPrincipals": { "description": "Optional. A list of request identities (i.e. \"iss/sub\" claims), which matches to the \"request.auth.principal\" attribute.", "type": "array", "items": { "type": "string", "format": "string" } }, "notRequestPrincipals": { "description": "Optional. A list of negative match of request identities.", "type": "array", "items": { "type": "string", "format": "string" } }, "namespaces": { "description": "Optional. A list of namespaces, which matches to the \"source.namespace\" attribute. This field requires mTLS enabled.", "type": "array", "items": { "type": "string", "format": "string" } }, "notNamespaces": { "description": "Optional. A list of negative match of namespaces.", "type": "array", "items": { "type": "string", "format": "string" } }, "ipBlocks": { "description": "Optional. A list of IP blocks, which matches to the \"source.ip\" attribute. Single IP (e.g. \"1.2.3.4\") and CIDR (e.g. \"1.2.3.0/24\") are supported.", "type": "array", "items": { "type": "string", "format": "string" } }, "notIpBlocks": { "description": "Optional. A list of negative match of IP blocks.", "type": "array", "items": { "type": "string", "format": "string" } } } }, "istio.security.v1beta1.Operation": { "description": "Operation specifies the operations of a request. Fields in the operation are ANDed together.", "type": "object", "properties": { "hosts": { "description": "Optional. A list of hosts, which matches to the \"request.host\" attribute.", "type": "array", "items": { "type": "string", "format": "string" } }, "notHosts": { "description": "Optional. A list of negative match of hosts.", "type": "array", "items": { "type": "string", "format": "string" } }, "ports": { "description": "Optional. A list of ports, which matches to the \"destination.port\" attribute.", "type": "array", "items": { "type": "string", "format": "string" } }, "notPorts": { "description": "Optional. A list of negative match of ports.", "type": "array", "items": { "type": "string", "format": "string" } }, "methods": { "description": "Optional. A list of methods, which matches to the \"request.method\" attribute. For gRPC service, this will always be \"POST\".", "type": "array", "items": { "type": "string", "format": "string" } }, "notMethods": { "description": "Optional. A list of negative match of methods.", "type": "array", "items": { "type": "string", "format": "string" } }, "paths": { "description": "Optional. A list of paths, which matches to the \"request.url_path\" attribute. For gRPC service, this will be the fully-qualified name in the form of \"/package.service/method\".", "type": "array", "items": { "type": "string", "format": "string" } }, "notPaths": { "description": "Optional. A list of negative match of paths.", "type": "array", "items": { "type": "string", "format": "string" } } } }, "istio.type.v1beta1.WorkloadSelector": { "description": "The selector determines the workloads to apply the RequestAuthentication on. If not set, the policy will be applied to all workloads in the same namespace as the policy.", "type": "object", "properties": { "matchLabels": { "description": "One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. The scope of label search is restricted to the configuration namespace in which the resource is present.", "type": "object", "additionalProperties": { "type": "string", "format": "string" } } } } } } }