admin/kubesphere
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fbfbb8b8d2e4574932dce8e30458c7422ec00a50
kubesphere/vendor/istio.io/api/security/v1beta1/authorization.proto
zryfish ea88c8803d use istio client-go library instead of knative (#1661) 
use istio client-go library instead of knative
bump kubernetes dependency version
change code coverage to codecov
2019-12-13 11:26:18 +08:00

274 lines
8.5 KiB
Protocol Buffer
Raw Blame History

// Copyright 2019 Istio Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = "proto3";
import "google/api/field_behavior.proto";
import "type/v1beta1/selector.proto";
// $title: Authorization Policy
// $description: Configuration for access control on workloads.
// $location: https://istio.io/docs/reference/config/security/authorization-policy.html
// $weight: 20
// $aliases: [/docs/reference/config/authorization/authorization-policy.html]
// Istio Authorization Policy enables access control on workloads in the mesh.
//
// For example, the following authorization policy applies to workloads matched with
// label selector "app: httpbin, version: v1".
//
// It allows requests from:
// - service account "cluster.local/ns/default/sa/sleep" or
// - namespace "test"
// to access the workload with:
// - "GET" method at paths of prefix "/info" or,
// - "POST" method at path "/data".
// when the request has a valid JWT token issued by "https://accounts.google.com".
//
// Any other requests will be rejected.
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: AuthorizationPolicy
// metadata:
// name: httpbin
// namespace: foo
// spec:
// selector:
// matchLabels:
// app: httpbin
// version: v1
// rules:
// - from:
// - source:
// principals: ["cluster.local/ns/default/sa/sleep"]
// - source:
// namespaces: ["test"]
// to:
// - operation:
// methods: ["GET"]
// paths: ["/info*"]
// - operation:
// methods: ["POST"]
// paths: ["/data"]
// when:
// - key: request.auth.claims[iss]
// values: ["https://accounts.google.com"]
// ```
//
// Access control is enabled on a workload if there is any authorization policies selecting
// the workload. When access control is enabled, the default behavior is deny (deny-by-default)
// which means requests to the workload will be rejected if the request is not allowed by any of
// the authorization policies selecting the workload.
//
// Currently AuthorizationPolicy only supports "ALLOW" action. This means that
// if multiple authorization policies apply to the same workload, the effect is additive.
//
// Authorization Policy scope (target) is determined by "metadata/namespace" and
// an optional "selector".
// - "metadata/namespace" tells which namespace the policy applies. If set to root
// namespace, the policy applies to all namespaces in a mesh.
// - workload "selector" can be used to further restrict where a policy applies.
//
// For example,
//
// The following authorization policy applies to workloads containing label
// "app: httpbin" in namespace bar.
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: AuthorizationPolicy
// metadata:
// name: policy
// namespace: bar
// spec:
// selector:
// matchLabels:
// app: httpbin
// ```
//
// The following authorization policy applies to all workloads in namespace foo.
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: AuthorizationPolicy
// metadata:
// name: policy
// namespace: foo
// spec:
// ```
//
// The following authorization policy applies to workloads containing label
// "version: v1" in all namespaces in the mesh. (Assuming the root namespace is
// configured to "istio-config").
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: AuthorizationPolicy
// metadata:
// name: policy
// namespace: istio-config
// spec:
// selector:
// matchLabels:
// version: v1
// ```
package istio.security.v1beta1;
option go_package="istio.io/api/security/v1beta1";
// AuthorizationPolicy enables access control on workloads.
//
// For example, the following authorization policy denies all requests to workloads
// in namespace foo.
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: AuthorizationPolicy
// metadata:
// name: deny-all
// namespace: foo
// spec:
// ```
//
// The following authorization policy allows all requests to workloads in namespace
// foo.
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: AuthorizationPolicy
// metadata:
// name: allow-all
// namespace: foo
// spec:
// rules:
// - {}
// ```
//
// <!-- go code generation tags
// +kubetype-gen
// +kubetype-gen:groupVersion=security.istio.io/v1beta1
// +genclient
// +k8s:deepcopy-gen=true
// -->
message AuthorizationPolicy {
// Optional. Workload selector decides where to apply the authorization policy.
// If not set, the authorization policy will be applied to all workloads in the
// same namespace as the authorization policy.
istio.type.v1beta1.WorkloadSelector selector = 1;
// Optional. A list of rules to specify the allowed access to the workload.
//
// If not set, access is denied unless explicitly allowed by other authorization policy.
repeated Rule rules = 2;
}
// Rule allows access from a list of sources to perform a list of operations when
// the condition is matched.
//
// Any string field in the rule supports Exact, Prefix, Suffix and Presence match:
// - Exact match: "abc" will match on value "abc".
// - Prefix match: "abc*" will match on value "abc" and "abcd".
// - Suffix match: "*abc" will match on value "abc" and "xabc".
// - Presence match: "*" will match when value is not empty.
message Rule {
// From includes a list or sources.
message From {
// Source specifies the source of a request.
Source source = 1;
}
// Optional. from specifies the source of a request.
//
// If not set, any source is allowed.
repeated From from = 1;
// To includes a list or operations.
message To {
// Operation specifies the operation of a request.
Operation operation = 1;
}
// Optional. to specifies the operation of a request.
//
// If not set, any operation is allowed.
repeated To to = 2;
// Optional. when specifies a list of additional conditions of a request.
//
// If not set, any condition is allowed.
repeated Condition when = 3;
}
// Source specifies the source identities of a request.
message Source {
// Optional. A list of source peer identities (i.e. service account), which
// matches to the "source.principal" attribute.
//
// If not set, any principal is allowed.
repeated string principals = 1;
// Optional. A list of request identities (i.e. "iss/sub" claims), which
// matches to the "request.auth.principal" attribute.
//
// If not set, any request principal is allowed.
repeated string request_principals = 2;
// Optional. A list of namespaces, which matches to the "source.namespace"
// attribute.
//
// If not set, any namespace is allowed.
repeated string namespaces = 3;
// Optional. A list of IP blocks, which matches to the "source.ip" attribute.
// Single IP (e.g. "1.2.3.4") and CIDR (e.g. "1.2.3.0/24") are supported.
//
// If not set, any IP is allowed.
repeated string ip_blocks = 4;
}
// Operation specifies the operations of a request.
message Operation {
// Optional. A list of hosts, which matches to the "request.host" attribute.
//
// If not set, any host is allowed. Must be used only with HTTP.
repeated string hosts = 1;
// Optional. A list of ports, which matches to the "destination.port" attribute.
//
// If not set, any port is allowed.
repeated string ports = 2;
// Optional. A list of methods, which matches to the "request.method" attribute.
// For gRPC service, this should be the fully-qualified name in the form of
// "/package.service/method"
//
// If not set, any method is allowed. Must be used only with HTTP or gRPC.
repeated string methods = 3;
// Optional. A list of paths, which matches to the "request.url_path" attribute.
//
// If not set, any path is allowed. Must be used only with HTTP.
repeated string paths = 4;
}
// Condition specifies additional required attributes.
message Condition {
// The name of an Istio attribute.
// See the [full list of supported attributes](https://istio.io/docs/reference/config/).
string key = 1 [(google.api.field_behavior) = REQUIRED];
// The allowed values for the attribute.
repeated string values = 2 [(google.api.field_behavior) = REQUIRED];
}
Reference in New Issue View Git Blame Copy Permalink