admin/kubesphere
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6d264572dc15f8a805d74371e33d30b4e164639e
kubesphere/vendor/istio.io/api/rbac/v1alpha1/istio.rbac.v1alpha1.gen.json
hongming fe6c5de00f update dependencies 
Signed-off-by: hongming <talonwan@yunify.com>
2021-01-04 15:35:32 +08:00

321 lines
15 KiB
JSON
Raw Blame History

{
"openapi": "3.0.0",
"info": {
"title": "",
"version": "v1alpha1"
},
"components": {
"schemas": {
"istio.rbac.v1alpha1.ServiceRole": {
"description": "ServiceRole specification contains a list of access rules (permissions).",
"type": "object",
"properties": {
"rules": {
"description": "The set of access rules (permissions) that the role has.",
"type": "array",
"items": {
"$ref": "#/components/schemas/istio.rbac.v1alpha1.AccessRule"
}
}
}
},
"istio.rbac.v1alpha1.AccessRule": {
"description": "AccessRule defines a permission to access a list of services.",
"type": "object",
"properties": {
"services": {
"description": "A list of service names. Exact match, prefix match, and suffix match are supported for service names. For example, the service name \"bookstore.mtv.cluster.local\" matches \"bookstore.mtv.cluster.local\" (exact match), or \"bookstore\\*\" (prefix match), or \"\\*.mtv.cluster.local\" (suffix match). If set to [\"\\*\"], it refers to all services in the namespace.",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
},
"hosts": {
"description": "Optional. A list of HTTP hosts. This is matched against the HOST header in a HTTP request. Exact match, prefix match and suffix match are supported. For example, the host \"test.abc.com\" matches \"test.abc.com\" (exact match), or \"\\*.abc.com\" (prefix match), or \"test.abc.\\*\" (suffix match). If not specified, it matches to any host. This field should not be set for TCP services. The policy will be ignored.",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
},
"notHosts": {
"description": "Optional. A list of HTTP hosts that must not be matched.",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
},
"paths": {
"description": "Optional. A list of HTTP paths or gRPC methods. gRPC methods must be presented as fully-qualified name in the form of \"/packageName.serviceName/methodName\" and are case sensitive. Exact match, prefix match, and suffix match are supported. For example, the path \"/books/review\" matches \"/books/review\" (exact match), or \"/books/\\*\" (prefix match), or \"\\*/review\" (suffix match). If not specified, it matches to any path. This field should not be set for TCP services. The policy will be ignored.",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
},
"notPaths": {
"description": "Optional. A list of HTTP paths or gRPC methods that must not be matched.",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
},
"methods": {
"description": "Optional. A list of HTTP methods (e.g., \"GET\", \"POST\"). If not specified or specified as \"\\*\", it matches to any methods. This field should not be set for TCP services. The policy will be ignored. For gRPC services, only `POST` is allowed; other methods will result in denying services.",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
},
"notMethods": {
"description": "Optional. A list of HTTP methods that must not be matched. Note: It's an error to set methods and not_methods at the same time.",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
},
"ports": {
"description": "Optional. A list of port numbers of the request. If not specified, it matches to any port number. Note: It's an error to set ports and not_ports at the same time.",
"type": "array",
"items": {
"type": "integer",
"format": "int32"
}
},
"notPorts": {
"description": "Optional. A list of port numbers that must not be matched. Note: It's an error to set ports and not_ports at the same time.",
"type": "array",
"items": {
"type": "integer",
"format": "int32"
}
},
"constraints": {
"description": "Optional. Extra constraints in the ServiceRole specification.",
"type": "array",
"items": {
"$ref": "#/components/schemas/istio.rbac.v1alpha1.AccessRule.Constraint"
}
}
}
},
"istio.rbac.v1alpha1.AccessRule.Constraint": {
"description": "Definition of a custom constraint. The supported keys are listed in the \"constraint and properties\" page.",
"type": "object",
"properties": {
"key": {
"description": "Key of the constraint.",
"type": "string",
"format": "string"
},
"values": {
"description": "List of valid values for the constraint. Exact match, prefix match, and suffix match are supported. For example, the value \"v1alpha2\" matches \"v1alpha2\" (exact match), or \"v1\\*\" (prefix match), or \"\\*alpha2\" (suffix match).",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
}
}
},
"istio.rbac.v1alpha1.EnforcementMode": {
"description": "RBAC ServiceRoleBinding enforcement mode, used to verify new ServiceRoleBinding configs work as expected before rolling to production. RBAC engine only logs results from configs that are in permissive mode, and discards result before returning to the user.",
"type": "string",
"enum": [
"ENFORCED",
"PERMISSIVE"
]
},
"istio.rbac.v1alpha1.ServiceRoleBinding": {
"description": "ServiceRoleBinding assigns a ServiceRole to a list of subjects.",
"type": "object",
"properties": {
"subjects": {
"description": "List of subjects that are assigned the ServiceRole object.",
"type": "array",
"items": {
"$ref": "#/components/schemas/istio.rbac.v1alpha1.Subject"
}
},
"roleRef": {
"$ref": "#/components/schemas/istio.rbac.v1alpha1.RoleRef"
},
"mode": {
"$ref": "#/components/schemas/istio.rbac.v1alpha1.EnforcementMode"
},
"actions": {
"description": "Inline role definition. An inline role is a role that is defined inside an authorization policy, instead of explicitly defined in a ServiceRole object. Inline roles can be used for the role definitions that are not intended to be reused in other bindings, while explicit roles are reusable. Both inline roles (defined in \"actions\" field) and explicit roles (defined in ServiceRole) are supported. Users should use only one of them in a single binding. For example, the following \"product-frontend\" AuthorizationPolicy allows \"frontend\" service to view \"product\" service on \"/info\" path. ```yaml apiVersion: \"rbac.istio.io/v1alpha1\" kind: AuthorizationPolicy metadata: name: product-frontend namespace: ns1 spec: selector: labels: app: product allow: - subjects: - names: [\"cluster.local/ns/default/sa/frontend\"] actions: - paths: [\"/info\"] methods: [\"GET\"] The set of access rules (permissions) that the role has.",
"type": "array",
"items": {
"$ref": "#/components/schemas/istio.rbac.v1alpha1.AccessRule"
}
},
"role": {
"description": "A `role` inside a ServiceRoleBinding refers to the ServiceRole that this ServiceRoleBinding binds to. A ServiceRoleBinding can bind to a ServiceRole in the same namespace or the root namespace. A ServiceRole in the root namespace represents a mesh global ServiceRole. The value of `role` is the name of the ServiceRole, and it can start with or without a forward slash (\"/\"). When a `role` starts with \"/\", e.g. \"/service-viewer\", it means that this ServiceRoleBinding refers to the ServiceRole in the configurable Istio root namespace. When a `role` starts without \"/\", this ServiceRoleBinding refers to the ServiceRole in the same namespace as the AuthorizationPolicy's, which contains said ServiceRoleBinding.",
"type": "string",
"format": "string"
}
}
},
"istio.rbac.v1alpha1.Subject": {
"description": "Subject defines an identity. The identity is either a user or identified by a set of `properties`. The supported keys in `properties` are listed in \"constraint and properties\" page.",
"type": "object",
"properties": {
"user": {
"description": "Optional. The user name/ID that the subject represents.",
"type": "string",
"format": "string"
},
"names": {
"description": "Optional. A list of subject names. This is matched to the `source.principal` attribute. If one of subject names is \"\\*\", it matches to a subject with any name. Prefix and suffix matches are supported.",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
},
"notNames": {
"description": "Optional. A list of subject names that must not be matched.",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
},
"group": {
"description": "Optional. The group that the subject belongs to. Deprecated. Use groups and not_groups instead.",
"type": "string",
"format": "string",
"deprecated": true
},
"groups": {
"description": "Optional. A list of groups that the subject represents. This is matched to the `request.auth.claims[groups]` attribute. If not specified, it applies to any groups.",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
},
"notGroups": {
"description": "Optional. A list of groups that must not be matched.",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
},
"namespaces": {
"description": "Optional. A list of namespaces that the subject represents. This is matched to the `source.namespace` attribute. If not specified, it applies to any namespaces.",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
},
"notNamespaces": {
"description": "Optional. A list of namespaces that must not be matched.",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
},
"ips": {
"description": "Optional. A list of IP address or CIDR ranges that the subject represents. E.g. 192.168.100.2 or 10.1.0.0/16. If not specified, it applies to any IP addresses.",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
},
"notIps": {
"description": "Optional. A list of IP addresses or CIDR ranges that must not be matched.",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
},
"properties": {
"description": "Optional. The set of properties that identify the subject.",
"type": "object",
"additionalProperties": {
"type": "string",
"format": "string"
}
}
}
},
"istio.rbac.v1alpha1.RoleRef": {
"description": "RoleRef refers to a role object.",
"type": "object",
"properties": {
"name": {
"description": "The name of the ServiceRole object being referenced. The ServiceRole object must be in the same namespace as the ServiceRoleBinding object.",
"type": "string",
"format": "string"
},
"kind": {
"description": "The type of the role being referenced. Currently, \"ServiceRole\" is the only supported value for \"kind\".",
"type": "string",
"format": "string"
}
}
},
"istio.rbac.v1alpha1.RbacConfig": {
"description": "RbacConfig implements the ClusterRbacConfig Custom Resource Definition for controlling Istio RBAC behavior. The ClusterRbacConfig Custom Resource is a singleton where only one ClusterRbacConfig should be created globally in the mesh and the namespace should be the same to other Istio components, which usually is `istio-system`.",
"type": "object",
"properties": {
"mode": {
"$ref": "#/components/schemas/istio.rbac.v1alpha1.RbacConfig.Mode"
},
"inclusion": {
"$ref": "#/components/schemas/istio.rbac.v1alpha1.RbacConfig.Target"
},
"exclusion": {
"$ref": "#/components/schemas/istio.rbac.v1alpha1.RbacConfig.Target"
},
"enforcementMode": {
"$ref": "#/components/schemas/istio.rbac.v1alpha1.EnforcementMode"
}
}
},
"istio.rbac.v1alpha1.RbacConfig.Mode": {
"type": "string",
"enum": [
"OFF",
"ON",
"ON_WITH_INCLUSION",
"ON_WITH_EXCLUSION"
]
},
"istio.rbac.v1alpha1.RbacConfig.Target": {
"description": "Target defines a list of services or namespaces.",
"type": "object",
"properties": {
"services": {
"description": "A list of services.",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
},
"namespaces": {
"description": "A list of namespaces.",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
}
}
}
}
}
}
Reference in New Issue View Git Blame Copy Permalink