ea88c8803d
use istio client-go library instead of knative bump kubernetes dependency version change code coverage to codecov
204 lines
6.1 KiB
Go
204 lines
6.1 KiB
Go
// Code generated by protoc-gen-gogo. DO NOT EDIT.
|
|
// source: security/v1beta1/authorization.proto
|
|
|
|
// Istio Authorization Policy enables access control on workloads in the mesh.
|
|
//
|
|
// For example, the following authorization policy applies to workloads matched with
|
|
// label selector "app: httpbin, version: v1".
|
|
//
|
|
// It allows requests from:
|
|
// - service account "cluster.local/ns/default/sa/sleep" or
|
|
// - namespace "test"
|
|
// to access the workload with:
|
|
// - "GET" method at paths of prefix "/info" or,
|
|
// - "POST" method at path "/data".
|
|
// when the request has a valid JWT token issued by "https://accounts.google.com".
|
|
//
|
|
// Any other requests will be rejected.
|
|
//
|
|
// ```yaml
|
|
// apiVersion: security.istio.io/v1beta1
|
|
// kind: AuthorizationPolicy
|
|
// metadata:
|
|
// name: httpbin
|
|
// namespace: foo
|
|
// spec:
|
|
// selector:
|
|
// matchLabels:
|
|
// app: httpbin
|
|
// version: v1
|
|
// rules:
|
|
// - from:
|
|
// - source:
|
|
// principals: ["cluster.local/ns/default/sa/sleep"]
|
|
// - source:
|
|
// namespaces: ["test"]
|
|
// to:
|
|
// - operation:
|
|
// methods: ["GET"]
|
|
// paths: ["/info*"]
|
|
// - operation:
|
|
// methods: ["POST"]
|
|
// paths: ["/data"]
|
|
// when:
|
|
// - key: request.auth.claims[iss]
|
|
// values: ["https://accounts.google.com"]
|
|
// ```
|
|
//
|
|
// Access control is enabled on a workload if there is any authorization policies selecting
|
|
// the workload. When access control is enabled, the default behavior is deny (deny-by-default)
|
|
// which means requests to the workload will be rejected if the request is not allowed by any of
|
|
// the authorization policies selecting the workload.
|
|
//
|
|
// Currently AuthorizationPolicy only supports "ALLOW" action. This means that
|
|
// if multiple authorization policies apply to the same workload, the effect is additive.
|
|
//
|
|
// Authorization Policy scope (target) is determined by "metadata/namespace" and
|
|
// an optional "selector".
|
|
// - "metadata/namespace" tells which namespace the policy applies. If set to root
|
|
// namespace, the policy applies to all namespaces in a mesh.
|
|
// - workload "selector" can be used to further restrict where a policy applies.
|
|
//
|
|
// For example,
|
|
//
|
|
// The following authorization policy applies to workloads containing label
|
|
// "app: httpbin" in namespace bar.
|
|
//
|
|
// ```yaml
|
|
// apiVersion: security.istio.io/v1beta1
|
|
// kind: AuthorizationPolicy
|
|
// metadata:
|
|
// name: policy
|
|
// namespace: bar
|
|
// spec:
|
|
// selector:
|
|
// matchLabels:
|
|
// app: httpbin
|
|
// ```
|
|
//
|
|
// The following authorization policy applies to all workloads in namespace foo.
|
|
//
|
|
// ```yaml
|
|
// apiVersion: security.istio.io/v1beta1
|
|
// kind: AuthorizationPolicy
|
|
// metadata:
|
|
// name: policy
|
|
// namespace: foo
|
|
// spec:
|
|
// ```
|
|
//
|
|
// The following authorization policy applies to workloads containing label
|
|
// "version: v1" in all namespaces in the mesh. (Assuming the root namespace is
|
|
// configured to "istio-config").
|
|
//
|
|
// ```yaml
|
|
// apiVersion: security.istio.io/v1beta1
|
|
// kind: AuthorizationPolicy
|
|
// metadata:
|
|
// name: policy
|
|
// namespace: istio-config
|
|
// spec:
|
|
// selector:
|
|
// matchLabels:
|
|
// version: v1
|
|
// ```
|
|
|
|
package v1beta1
|
|
|
|
import (
|
|
bytes "bytes"
|
|
fmt "fmt"
|
|
github_com_gogo_protobuf_jsonpb "github.com/gogo/protobuf/jsonpb"
|
|
proto "github.com/gogo/protobuf/proto"
|
|
_ "istio.io/api/type/v1beta1"
|
|
_ "istio.io/gogo-genproto/googleapis/google/api"
|
|
math "math"
|
|
)
|
|
|
|
// Reference imports to suppress errors if they are not otherwise used.
|
|
var _ = proto.Marshal
|
|
var _ = fmt.Errorf
|
|
var _ = math.Inf
|
|
|
|
// MarshalJSON is a custom marshaler for AuthorizationPolicy
|
|
func (this *AuthorizationPolicy) MarshalJSON() ([]byte, error) {
|
|
str, err := AuthorizationMarshaler.MarshalToString(this)
|
|
return []byte(str), err
|
|
}
|
|
|
|
// UnmarshalJSON is a custom unmarshaler for AuthorizationPolicy
|
|
func (this *AuthorizationPolicy) UnmarshalJSON(b []byte) error {
|
|
return AuthorizationUnmarshaler.Unmarshal(bytes.NewReader(b), this)
|
|
}
|
|
|
|
// MarshalJSON is a custom marshaler for Rule
|
|
func (this *Rule) MarshalJSON() ([]byte, error) {
|
|
str, err := AuthorizationMarshaler.MarshalToString(this)
|
|
return []byte(str), err
|
|
}
|
|
|
|
// UnmarshalJSON is a custom unmarshaler for Rule
|
|
func (this *Rule) UnmarshalJSON(b []byte) error {
|
|
return AuthorizationUnmarshaler.Unmarshal(bytes.NewReader(b), this)
|
|
}
|
|
|
|
// MarshalJSON is a custom marshaler for Rule_From
|
|
func (this *Rule_From) MarshalJSON() ([]byte, error) {
|
|
str, err := AuthorizationMarshaler.MarshalToString(this)
|
|
return []byte(str), err
|
|
}
|
|
|
|
// UnmarshalJSON is a custom unmarshaler for Rule_From
|
|
func (this *Rule_From) UnmarshalJSON(b []byte) error {
|
|
return AuthorizationUnmarshaler.Unmarshal(bytes.NewReader(b), this)
|
|
}
|
|
|
|
// MarshalJSON is a custom marshaler for Rule_To
|
|
func (this *Rule_To) MarshalJSON() ([]byte, error) {
|
|
str, err := AuthorizationMarshaler.MarshalToString(this)
|
|
return []byte(str), err
|
|
}
|
|
|
|
// UnmarshalJSON is a custom unmarshaler for Rule_To
|
|
func (this *Rule_To) UnmarshalJSON(b []byte) error {
|
|
return AuthorizationUnmarshaler.Unmarshal(bytes.NewReader(b), this)
|
|
}
|
|
|
|
// MarshalJSON is a custom marshaler for Source
|
|
func (this *Source) MarshalJSON() ([]byte, error) {
|
|
str, err := AuthorizationMarshaler.MarshalToString(this)
|
|
return []byte(str), err
|
|
}
|
|
|
|
// UnmarshalJSON is a custom unmarshaler for Source
|
|
func (this *Source) UnmarshalJSON(b []byte) error {
|
|
return AuthorizationUnmarshaler.Unmarshal(bytes.NewReader(b), this)
|
|
}
|
|
|
|
// MarshalJSON is a custom marshaler for Operation
|
|
func (this *Operation) MarshalJSON() ([]byte, error) {
|
|
str, err := AuthorizationMarshaler.MarshalToString(this)
|
|
return []byte(str), err
|
|
}
|
|
|
|
// UnmarshalJSON is a custom unmarshaler for Operation
|
|
func (this *Operation) UnmarshalJSON(b []byte) error {
|
|
return AuthorizationUnmarshaler.Unmarshal(bytes.NewReader(b), this)
|
|
}
|
|
|
|
// MarshalJSON is a custom marshaler for Condition
|
|
func (this *Condition) MarshalJSON() ([]byte, error) {
|
|
str, err := AuthorizationMarshaler.MarshalToString(this)
|
|
return []byte(str), err
|
|
}
|
|
|
|
// UnmarshalJSON is a custom unmarshaler for Condition
|
|
func (this *Condition) UnmarshalJSON(b []byte) error {
|
|
return AuthorizationUnmarshaler.Unmarshal(bytes.NewReader(b), this)
|
|
}
|
|
|
|
var (
|
|
AuthorizationMarshaler = &github_com_gogo_protobuf_jsonpb.Marshaler{}
|
|
AuthorizationUnmarshaler = &github_com_gogo_protobuf_jsonpb.Unmarshaler{}
|
|
)
|