// Copyright 2020 Istio Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. syntax = "proto3"; import "type/v1beta1/selector.proto"; // $schema: istio.security.v1beta1.PeerAuthentication // $title: PeerAuthentication // $description: Peer authentication configuration for workloads. // $location: https://istio.io/docs/reference/config/security/peer_authentication.html // $aliases: [/docs/reference/config/security/v1beta1/peer_authentication] package istio.security.v1beta1; option go_package="istio.io/api/security/v1beta1"; // PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar. // // Examples: // // Policy to allow mTLS traffic for all workloads under namespace `foo`: // ```yaml // apiVersion: security.istio.io/v1beta1 // kind: PeerAuthentication // metadata: // name: default // namespace: foo // spec: // mtls: // mode: STRICT // ``` // For mesh level, put the policy in root-namespace according to your Istio installation. // // Policies to allow both mTLS & plaintext traffic for all workloads under namespace `foo`, but // require mTLS for workload `finance`. // ```yaml // apiVersion: security.istio.io/v1beta1 // kind: PeerAuthentication // metadata: // name: default // namespace: foo // spec: // mtls: // mode: PERMISSIVE // --- // apiVersion: security.istio.io/v1beta1 // kind: PeerAuthentication // metadata: // name: default // namespace: foo // spec: // selector: // matchLabels: // app: finance // mtls: // mode: STRICT // ``` // Policy to allow mTLS strict for all workloads, but leave port 8080 to // plaintext: // ```yaml // apiVersion: security.istio.io/v1beta1 // kind: PeerAuthentication // metadata: // name: default // namespace: foo // spec: // selector: // matchLabels: // app: finance // mtls: // mode: STRICT // portLevelMtls: // 8080: // mode: DISABLE // ``` // Policy to inherite mTLS mode from namespace (or mesh) settings, and overwrite // settings for port 8080 // ```yaml // apiVersion: security.istio.io/v1beta1 // kind: PeerAuthentication // metadata: // name: default // namespace: foo // spec: // selector: // matchLabels: // app: finance // mtls: // mode: UNSET // portLevelMtls: // 8080: // mode: DISABLE // ``` // // // // message PeerAuthentication { // The selector determines the workloads to apply the ChannelAuthentication on. // If not set, the policy will be applied to all workloads in the same namespace as the policy. istio.type.v1beta1.WorkloadSelector selector = 1; // Mutual TLS settings. message MutualTLS { enum Mode { // Inherit from parent, if has one. Otherwise treated as PERMISSIVE. UNSET = 0; // Connection is not tunneled. DISABLE = 1; // Connection can be either plaintext or mTLS tunnel. PERMISSIVE = 2; // Connection is an mTLS tunnel (TLS with client cert must be presented). STRICT = 3; } // Defines the mTLS mode used for peer authentication. Mode mode = 1; } // Mutual TLS settings for workload. If not defined, inherit from parent. MutualTLS mtls = 2; // Port specific mutual TLS settings. map port_level_mtls = 3; }