161 lines
5.3 KiB
Protocol Buffer
161 lines
5.3 KiB
Protocol Buffer
// Copyright 2019 Istio Authors
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
syntax = "proto3";
|
|
|
|
import "type/v1beta1/selector.proto";
|
|
import "security/v1beta1/jwt.proto";
|
|
|
|
// $schema: istio.security.v1beta1.RequestAuthentication
|
|
// $title: RequestAuthentication
|
|
// $description: Request authentication configuration for workloads.
|
|
// $location: https://istio.io/docs/reference/config/security/request_authentication.html
|
|
// $aliases: [/docs/reference/config/security/v1beta1/request_authentication]
|
|
|
|
package istio.security.v1beta1;
|
|
|
|
option go_package="istio.io/api/security/v1beta1";
|
|
|
|
// RequestAuthentication defines what request authentication methods are supported by a workload.
|
|
// If will reject a request if the request contains invalid authentication information, based on the
|
|
// configured authentication rules. A request that does not contain any authentication credentials
|
|
// will be accepted but will not have any authenticated identity. To restrict access to authenticated
|
|
// requests only, this should be accompanied by an authorization rule.
|
|
// Examples:
|
|
//
|
|
// - Require JWT for all request for workloads that have label `app:httpbin`
|
|
//
|
|
// ```yaml
|
|
// apiVersion: security.istio.io/v1beta1
|
|
// kind: RequestAuthentication
|
|
// metadata:
|
|
// name: httpbin
|
|
// namespace: foo
|
|
// spec:
|
|
// selector:
|
|
// matchLabels:
|
|
// app: httpbin
|
|
// jwtRules:
|
|
// - issuer: "issuer-foo"
|
|
// jwksUri: https://example.com/.well-known/jwks.json
|
|
// ---
|
|
// apiVersion: security.istio.io/v1beta1
|
|
// kind: AuthorizationPolicy
|
|
// metadata:
|
|
// name: httpbin
|
|
// namespace: foo
|
|
// spec:
|
|
// selector:
|
|
// matchLabels:
|
|
// app: httpbin
|
|
// rules:
|
|
// - from:
|
|
// - source:
|
|
// requestPrincipals: ["*"]
|
|
// ```
|
|
//
|
|
// - The next example shows how to set a different JWT requirement for a different `host`. The `RequestAuthentication`
|
|
// declares it can accpet JWTs issuer by either `issuer-foo` or `issuer-bar` (the public key set is implicitly
|
|
// set from the OpenID Connect spec).
|
|
//
|
|
// ```yaml
|
|
// apiVersion: security.istio.io/v1beta1
|
|
// kind: RequestAuthentication
|
|
// metadata:
|
|
// name: httpbin
|
|
// namespace: foo
|
|
// spec:
|
|
// selector:
|
|
// matchLabels:
|
|
// app: httpbin
|
|
// jwtRules:
|
|
// - issuer: "issuer-foo"
|
|
// - issuer: "issuer-bar"
|
|
// ---
|
|
// apiVersion: security.istio.io/v1beta1
|
|
// kind: AuthorizationPolicy
|
|
// metadata:
|
|
// name: httpbin
|
|
// namespace: foo
|
|
// spec:
|
|
// selector:
|
|
// matchLabels:
|
|
// app: httpbin
|
|
// rules:
|
|
// - from:
|
|
// - source:
|
|
// requestPrincipals: ["issuer-foo/*"]
|
|
// to:
|
|
// hosts: ["example.com"]
|
|
// - from:
|
|
// - source:
|
|
// requestPrincipals: ["issuer-bar/*"]
|
|
// to:
|
|
// hosts: ["another-host.com"]
|
|
// ```
|
|
//
|
|
// - You can fine tune the authorization policy to set different requirement per path. For example,
|
|
// to require JWT on all paths, except /healthz, the same `RequestAuthentication` can be used, but the
|
|
// authorization policy could be:
|
|
//
|
|
// ```yaml
|
|
// apiVersion: security.istio.io/v1beta1
|
|
// kind: AuthorizationPolicy
|
|
// metadata:
|
|
// name: httpbin
|
|
// namespace: foo
|
|
// spec:
|
|
// selector:
|
|
// matchLabels:
|
|
// app: httpbin
|
|
// rules:
|
|
// - from:
|
|
// - source:
|
|
// requestPrincipals: ["*"]
|
|
// - to:
|
|
// - operation:
|
|
// paths: ["/healthz]
|
|
// ```
|
|
//
|
|
// <!-- crd generation tags
|
|
// +cue-gen:RequestAuthentication:groupName:security.istio.io
|
|
// +cue-gen:RequestAuthentication:version:v1beta1
|
|
// +cue-gen:RequestAuthentication:storageVersion
|
|
// +cue-gen:RequestAuthentication:annotations:helm.sh/resource-policy=keep
|
|
// +cue-gen:RequestAuthentication:labels:app=istio-pilot,chart=istio,istio=security,heritage=Tiller,release=istio
|
|
// +cue-gen:RequestAuthentication:subresource:status
|
|
// +cue-gen:RequestAuthentication:scope:Namespaced
|
|
// +cue-gen:RequestAuthentication:resource:categories=istio-io,security-istio-io,shortNames=ra
|
|
// +cue-gen:RequestAuthentication:preserveUnknownFields:false
|
|
// -->
|
|
//
|
|
// <!-- go code generation tags
|
|
// +kubetype-gen
|
|
// +kubetype-gen:groupVersion=security.istio.io/v1beta1
|
|
// +genclient
|
|
// +k8s:deepcopy-gen=true
|
|
// -->
|
|
message RequestAuthentication {
|
|
// The selector determines the workloads to apply the RequestAuthentication on.
|
|
// If not set, the policy will be applied to all workloads in the same namespace as the policy.
|
|
istio.type.v1beta1.WorkloadSelector selector = 1;
|
|
|
|
// Define the list of JWTs that can be validated at the selected workloads' proxy. A valid token
|
|
// will be used to extract the authenticated identity.
|
|
// Each rule will be activated only when a token is presented at the location recorgnized by the
|
|
// rule. The token will be validated based on the JWT rule config. If validation fails, the request will
|
|
// be rejected.
|
|
// Note: if more than one token is presented (at different locations), the output principal is nondeterministic.
|
|
repeated JWTRule jwt_rules = 2;
|
|
}
|