v1beta1

package
v0.0.17 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 15, 2022 License: Apache-2.0 Imports: 5 Imported by: 3

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
	AddToScheme   = SchemeBuilder.AddToScheme
)
View Source 
var SchemeGroupVersion = schema.GroupVersion{Group: security.GroupName, Version: "v1beta1"}

SchemeGroupVersion is group version used to register these objects

Functions

func Kind 

func Kind(kind string) schema.GroupKind

Kind takes an unqualified kind and returns back a Group qualified GroupKind

func Resource 

func Resource(resource string) schema.GroupResource

Resource takes an unqualified resource and returns a Group qualified GroupResource

Types

type AuthorizationPolicy 

type AuthorizationPolicy struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`
	Spec              AuthorizationPolicySpec `json:"spec"`
}

+genclient +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object AuthorizationPolicy

func (*AuthorizationPolicy) DeepCopy 

func (in *AuthorizationPolicy) DeepCopy() *AuthorizationPolicy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthorizationPolicy.

func (*AuthorizationPolicy) DeepCopyInto 

func (in *AuthorizationPolicy) DeepCopyInto(out *AuthorizationPolicy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*AuthorizationPolicy) DeepCopyObject 

func (in *AuthorizationPolicy) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type AuthorizationPolicyAction 

type AuthorizationPolicyAction string

Action specifies the operation to take. 

const (
	// Allow a request only if it matches the rules. This is the default type.
	AuthorizationPolicyActionAllow AuthorizationPolicyAction = "ALLOW"
	// Deny a request if it matches any of the rules.
	AuthorizationPolicyActionDeny AuthorizationPolicyAction = "DENY"
)

type AuthorizationPolicyList 

type AuthorizationPolicyList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata"`
	Items           []AuthorizationPolicy `json:"items"`
}

+k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object AuthorizationPolicyList is a list of AuthorizationPolicy resources

func (*AuthorizationPolicyList) DeepCopy 

func (in *AuthorizationPolicyList) DeepCopy() *AuthorizationPolicyList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthorizationPolicyList.

func (*AuthorizationPolicyList) DeepCopyInto 

func (in *AuthorizationPolicyList) DeepCopyInto(out *AuthorizationPolicyList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*AuthorizationPolicyList) DeepCopyObject 

func (in *AuthorizationPolicyList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type AuthorizationPolicySpec 

type AuthorizationPolicySpec struct {
	// Optional. Workload selector decides where to apply the authorization policy.
	// If not set, the authorization policy will be applied to all workloads in the
	// same namespace as the authorization policy.
	Selector *selector.WorkloadSelector `json:"selector,omitempty"`
	// Optional. A list of rules to match the request. A match occurs when at least
	// one rule matches the request.
	//
	// If not set, the match will never occur. This is equivalent to setting a
	// default of deny for the target workloads.
	Rules []*Rule `json:"rules,omitempty"`
	// Optional. The action to take if the request is matched with the rules.
	Action AuthorizationPolicyAction `json:"action,omitempty"`
}

AuthorizationPolicy enables access control on workloads.

For example, the following authorization policy denies all requests to workloads in namespace foo.

```yaml apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: 

name: deny-all
namespace: foo

spec: 

{}

```

The following authorization policy allows all requests to workloads in namespace foo.

```yaml apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: 

name: allow-all
namespace: foo

spec: 

rules:
- {}

```

func (*AuthorizationPolicySpec) DeepCopy 

func (in *AuthorizationPolicySpec) DeepCopy() *AuthorizationPolicySpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthorizationPolicySpec.

func (*AuthorizationPolicySpec) DeepCopyInto 

func (in *AuthorizationPolicySpec) DeepCopyInto(out *AuthorizationPolicySpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Condition 

type Condition struct {
	// The name of an Istio attribute.
	// See the [full list of supported attributes](https://istio.io/docs/reference/config/security/conditions/).
	Key string `json:"key,omitempty"`
	// Optional. A list of allowed values for the attribute.
	// Note: at least one of values or not_values must be set.
	Values []string `json:"values,omitempty"`
	// Optional. A list of negative match of values for the attribute.
	// Note: at least one of values or not_values must be set.
	NotValues []string `json:"notValues,omitempty"`
}

Condition specifies additional required attributes.

func (*Condition) DeepCopy 

func (in *Condition) DeepCopy() *Condition

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition.

func (*Condition) DeepCopyInto 

func (in *Condition) DeepCopyInto(out *Condition)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type JWTHeader 

type JWTHeader struct {
	// The HTTP header name.
	Name string `json:"name,omitempty"`
	// The prefix that should be stripped before decoding the token.
	// For example, for "Authorization: Bearer <token>", prefix="Bearer " with a space at the end.
	// If the header doesn't have this exact prefix, it is considerred invalid.
	Prefix string `json:"prefix,omitempty"`
}

This message specifies a header location to extract JWT token.

func (*JWTHeader) DeepCopy 

func (in *JWTHeader) DeepCopy() *JWTHeader

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWTHeader.

func (*JWTHeader) DeepCopyInto 

func (in *JWTHeader) DeepCopyInto(out *JWTHeader)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type JWTRule 

type JWTRule struct {
	// Identifies the issuer that issued the JWT. See
	// [issuer](https://tools.ietf.org/html/rfc7519#section-4.1.1)
	// A JWT with different `iss` claim will be rejected.
	//
	// Example: https://foobar.auth0.com
	// Example: 1234567-compute@developer.gserviceaccount.com
	Issuer string `json:"issuer,omitempty"`
	// The list of JWT
	// [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3).
	// that are allowed to access. A JWT containing any of these
	// audiences will be accepted.
	//
	// The service name will be accepted if audiences is empty.
	//
	// Example:
	//
	// “`yaml
	// audiences:
	// - bookstore_android.apps.example.com
	//   bookstore_web.apps.example.com
	// “`
	Audiences []string `json:"audiences,omitempty"`
	// URL of the provider's public key set to validate signature of the
	// JWT. See [OpenID Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
	//
	// Optional if the key set document can either (a) be retrieved from
	// [OpenID
	// Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html) of
	// the issuer or (b) inferred from the email domain of the issuer (e.g. a
	// Google service account).
	//
	// Example: `https://www.googleapis.com/oauth2/v1/certs`
	//
	// Note: Only one of jwks_uri and jwks should be used. jwks_uri will be ignored if it does.
	JwksURI string `json:"jwksUri,omitempty"`
	// JSON Web Key Set of public keys to validate signature of the JWT.
	// See https://auth0.com/docs/jwks.
	//
	// Note: Only one of jwks_uri and jwks should be used. jwks_uri will be ignored if it does.
	Jwks string `json:"jwks,omitempty"`
	// List of header locations from which JWT is expected. For example, below is the location spec
	// if JWT is expected to be found in `x-jwt-assertion` header, and have "Bearer " prefix:
	// “`
	//   fromHeaders:
	//   - name: x-jwt-assertion
	//     prefix: "Bearer "
	// “`
	FromHeaders []*JWTHeader `json:"fromHeaders,omitempty"`
	// List of query parameters from which JWT is expected. For example, if JWT is provided via query
	// parameter `my_token` (e.g /path?my_token=<JWT>), the config is:
	// “`
	//   fromParams:
	//   - "my_token"
	// “`
	FromParams []string `json:"fromParams,omitempty"`
	// This field specifies the header name to output a successfully verified JWT payload to the
	// backend. The forwarded data is `base64_encoded(jwt_payload_in_JSON)`. If it is not specified,
	// the payload will not be emitted.
	OutputPayloadToHeader string `json:"outputPayloadToHeader,omitempty"`
	// If set to true, the original token will be kept for the ustream request. Default is false.
	ForwardOriginalToken bool `json:"forwardOriginalToken,omitempty"`
}

JSON Web Token (JWT) token format for authentication as defined by [RFC 7519](https://tools.ietf.org/html/rfc7519). See [OAuth 2.0](https://tools.ietf.org/html/rfc6749) and [OIDC 1.0](http://openid.net/connect) for how this is used in the whole authentication flow.

Examples:

Spec for a JWT that is issued by `https://example.com`, with the audience claims must be either `bookstore_android.apps.example.com` or `bookstore_web.apps.example.com`. The token should be presented at the `Authorization` header (default). The Json web key set (JWKS) will be discovered followwing OpenID Connect protocol.

```yaml issuer: https://example.com audiences:

  • bookstore_android.apps.example.com bookstore_web.apps.example.com

```

This example specifies token in non-default location (`x-goog-iap-jwt-assertion` header). It also defines the URI to fetch JWKS explicitly.

```yaml issuer: https://example.com jwksUri: https://example.com/.secret/jwks.json jwtHeaders: - "x-goog-iap-jwt-assertion" ```

func (*JWTRule) DeepCopy 

func (in *JWTRule) DeepCopy() *JWTRule

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWTRule.

func (*JWTRule) DeepCopyInto 

func (in *JWTRule) DeepCopyInto(out *JWTRule)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type MTLSMode 

type MTLSMode string
const (
	// Inherit from parent, if has one. Otherwise treated as PERMISSIVE.
	MTLSModeUnset MTLSMode = "UNSET"
	// Connection is not tunneled.
	MTLSModeDisable MTLSMode = "DISABLE"
	// Connection can be either plaintext or mTLS tunnel.
	MTLSModePermissive MTLSMode = "PERMISSIVE"
	// Connection is an mTLS tunnel (TLS with client cert must be presented).
	MTLSModeStrict MTLSMode = "STRICT"
)

type Operation 

type Operation struct {
	// Optional. A list of hosts, which matches to the "request.host" attribute.
	//
	// If not set, any host is allowed. Must be used only with HTTP.
	Hosts []string `json:"hosts,omitempty"`
	// Optional. A list of negative match of hosts.
	NotHosts []string `json:"notHosts,omitempty"`
	// Optional. A list of ports, which matches to the "destination.port" attribute.
	//
	// If not set, any port is allowed.
	Ports []string `json:"ports,omitempty"`
	// Optional. A list of negative match of ports.
	NotPorts []string `json:"notPorts,omitempty"`
	// Optional. A list of methods, which matches to the "request.method" attribute.
	// For gRPC service, this will always be "POST".
	//
	// If not set, any method is allowed. Must be used only with HTTP.
	Methods []string `json:"methods,omitempty"`
	// Optional. A list of negative match of methods.
	NotMethods []string `json:"notMethods,omitempty"`
	// Optional. A list of paths, which matches to the "request.url_path" attribute.
	// For gRPC service, this will be the fully-qualified name in the form of
	// "/package.service/method".
	//
	// If not set, any path is allowed. Must be used only with HTTP.
	Paths []string `json:"paths,omitempty"`
	// Optional. A list of negative match of paths.
	NotPaths []string `json:"notPaths,omitempty"`
}

Operation specifies the operations of a request. Fields in the operation are ANDed together.

For example, the following operation matches if the host has suffix ".example.com" and the method is "GET" or "HEAD" and the path doesn't have prefix "/admin".

```yaml hosts: ["*.example.com"] methods: ["GET", "HEAD"] not_paths: ["/admin*"] ```

func (*Operation) DeepCopy 

func (in *Operation) DeepCopy() *Operation

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Operation.

func (*Operation) DeepCopyInto 

func (in *Operation) DeepCopyInto(out *Operation)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PeerAuthentication 

type PeerAuthentication struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`
	Spec              PeerAuthenticationSpec `json:"spec"`
}

+genclient +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object PeerAuthentication

func (*PeerAuthentication) DeepCopy 

func (in *PeerAuthentication) DeepCopy() *PeerAuthentication

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PeerAuthentication.

func (*PeerAuthentication) DeepCopyInto 

func (in *PeerAuthentication) DeepCopyInto(out *PeerAuthentication)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PeerAuthentication) DeepCopyObject 

func (in *PeerAuthentication) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type PeerAuthenticationList 

type PeerAuthenticationList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata"`
	Items           []PeerAuthentication `json:"items"`
}

+k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object PeerAuthenticationList is a list of PeerAuthentication resources

func (*PeerAuthenticationList) DeepCopy 

func (in *PeerAuthenticationList) DeepCopy() *PeerAuthenticationList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PeerAuthenticationList.

func (*PeerAuthenticationList) DeepCopyInto 

func (in *PeerAuthenticationList) DeepCopyInto(out *PeerAuthenticationList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PeerAuthenticationList) DeepCopyObject 

func (in *PeerAuthenticationList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type PeerAuthenticationMTLS 

type PeerAuthenticationMTLS struct {
	// Defines the mTLS mode used for peer authentication.
	Mode MTLSMode `json:"mode,omitempty"`
}

Mutual TLS settings.

func (*PeerAuthenticationMTLS) DeepCopy 

func (in *PeerAuthenticationMTLS) DeepCopy() *PeerAuthenticationMTLS

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PeerAuthenticationMTLS.

func (*PeerAuthenticationMTLS) DeepCopyInto 

func (in *PeerAuthenticationMTLS) DeepCopyInto(out *PeerAuthenticationMTLS)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PeerAuthenticationSpec 

type PeerAuthenticationSpec struct {
	// The selector determines the workloads to apply the ChannelAuthentication on.
	// If not set, the policy will be applied to all workloads in the same namespace as the policy.
	Selector *selector.WorkloadSelector `json:"selector,omitempty"`
	// Mutual TLS settings for workload. If not defined, inherit from parent.
	Mtls *PeerAuthenticationMTLS `json:"mtls,omitempty"`
	// Port specific mutual TLS settings.
	PortLevelMtls map[uint32]*PeerAuthenticationMTLS `json:"portLevelMtls,omitempty"`
}

PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar.

Examples:

Policy to allow mTLS traffic for all workloads under namespace `foo`: ```yaml apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: 

name: default
namespace: foo

spec: 

mtls:
  mode: STRICT

``` For mesh level, put the policy in root-namespace according to your Istio installation.

Policies to allow both mTLS & plaintext traffic for all workloads under namespace `foo`, but require mTLS for workload `finance`. ```yaml apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: 

name: default
namespace: foo

spec: 

mtls:
  mode: PERMISSIVE

--- apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: 

name: default
namespace: foo

spec: 

selector:
  matchLabels:
    app: finance
mtls:
  mode: STRICT

``` Policy to allow mTLS strict for all workloads, but leave port 8080 to plaintext: ```yaml apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: 

name: default
namespace: foo

spec: 

selector:
  matchLabels:
    app: finance
mtls:
  mode: STRICT
portLevelMtls:
  8080:
    mode: DISABLE

``` Policy to inherite mTLS mode from namespace (or mesh) settings, and overwrite settings for port 8080 ```yaml apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: 

name: default
namespace: foo

spec: 

selector:
  matchLabels:
    app: finance
mtls:
  mode: UNSET
portLevelMtls:
  8080:
    mode: DISABLE

```

func (*PeerAuthenticationSpec) DeepCopy 

func (in *PeerAuthenticationSpec) DeepCopy() *PeerAuthenticationSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PeerAuthenticationSpec.

func (*PeerAuthenticationSpec) DeepCopyInto 

func (in *PeerAuthenticationSpec) DeepCopyInto(out *PeerAuthenticationSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type RequestAuthentication 

type RequestAuthentication struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`
	Spec              RequestAuthenticationSpec `json:"spec"`
}

+genclient +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object RequestAuthentication

func (*RequestAuthentication) DeepCopy 

func (in *RequestAuthentication) DeepCopy() *RequestAuthentication

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RequestAuthentication.

func (*RequestAuthentication) DeepCopyInto 

func (in *RequestAuthentication) DeepCopyInto(out *RequestAuthentication)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*RequestAuthentication) DeepCopyObject 

func (in *RequestAuthentication) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type RequestAuthenticationList 

type RequestAuthenticationList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata"`
	Items           []RequestAuthentication `json:"items"`
}

+k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object RequestAuthenticationList is a list of RequestAuthentication resources

func (*RequestAuthenticationList) DeepCopy 

func (in *RequestAuthenticationList) DeepCopy() *RequestAuthenticationList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RequestAuthenticationList.

func (*RequestAuthenticationList) DeepCopyInto 

func (in *RequestAuthenticationList) DeepCopyInto(out *RequestAuthenticationList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*RequestAuthenticationList) DeepCopyObject 

func (in *RequestAuthenticationList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type RequestAuthenticationSpec 

type RequestAuthenticationSpec struct {
	// The selector determines the workloads to apply the RequestAuthentication on.
	// If not set, the policy will be applied to all workloads in the same namespace as the policy.
	Selector *selector.WorkloadSelector `json:"selector,omitempty"`
	// Define the list of JWTs that can be validated at the selected workloads' proxy. A valid token
	// will be used to extract the authenticated identity.
	// Each rule will be activated only when a token is presented at the location recorgnized by the
	// rule. The token will be validated based on the JWT rule config. If validation fails, the request will
	// be rejected.
	// Note: if more than one token is presented (at different locations), the output principal is nondeterministic.
	JwtRules []*JWTRule `json:"jwtRules,omitempty"`
}

func (*RequestAuthenticationSpec) DeepCopy 

func (in *RequestAuthenticationSpec) DeepCopy() *RequestAuthenticationSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RequestAuthenticationSpec.

func (*RequestAuthenticationSpec) DeepCopyInto 

func (in *RequestAuthenticationSpec) DeepCopyInto(out *RequestAuthenticationSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Rule 

type Rule struct {
	// Optional. from specifies the source of a request.
	//
	// If not set, any source is allowed.
	From []*RuleFrom `json:"from,omitempty"`
	// Optional. to specifies the operation of a request.
	//
	// If not set, any operation is allowed.
	To []*RuleTo `json:"to,omitempty"`
	// Optional. when specifies a list of additional conditions of a request.
	//
	// If not set, any condition is allowed.
	When []*Condition `json:"when,omitempty"`
}

Rule matches requests from a list of sources that perform a list of operations subject to a list of conditions. A match occurs when at least one source, operation and condition matches the request. An empty rule is always matched.

Any string field in the rule supports Exact, Prefix, Suffix and Presence match:

- Exact match: "abc" will match on value "abc". - Prefix match: "abc*" will match on value "abc" and "abcd". - Suffix match: "*abc" will match on value "abc" and "xabc". - Presence match: "*" will match when value is not empty.

func (*Rule) DeepCopy 

func (in *Rule) DeepCopy() *Rule

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Rule.

func (*Rule) DeepCopyInto 

func (in *Rule) DeepCopyInto(out *Rule)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type RuleFrom 

type RuleFrom struct {
	// Source specifies the source of a request.
	Source *Source `json:"source,omitempty"`
}

From includes a list or sources.

func (*RuleFrom) DeepCopy 

func (in *RuleFrom) DeepCopy() *RuleFrom

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleFrom.

func (*RuleFrom) DeepCopyInto 

func (in *RuleFrom) DeepCopyInto(out *RuleFrom)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type RuleTo 

type RuleTo struct {
	// Operation specifies the operation of a request.
	Operation *Operation `json:"operation,omitempty"`
}

To includes a list or operations.

func (*RuleTo) DeepCopy 

func (in *RuleTo) DeepCopy() *RuleTo

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleTo.

func (*RuleTo) DeepCopyInto 

func (in *RuleTo) DeepCopyInto(out *RuleTo)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Source 

type Source struct {
	// Optional. A list of source peer identities (i.e. service account), which
	// matches to the "source.principal" attribute. This field requires mTLS enabled.
	//
	// If not set, any principal is allowed.
	Principals []string `json:"principals,omitempty"`
	// Optional. A list of negative match of source peer identities.
	NotPrincipals []string `json:"notPrincipals,omitempty"`
	// Optional. A list of request identities (i.e. "iss/sub" claims), which
	// matches to the "request.auth.principal" attribute.
	//
	// If not set, any request principal is allowed.
	RequestPrincipals []string `json:"requestPrincipals,omitempty"`
	// Optional. A list of negative match of request identities.
	NotRequestPrincipals []string `json:"notRequestPrincipals,omitempty"`
	// Optional. A list of namespaces, which matches to the "source.namespace"
	// attribute. This field requires mTLS enabled.
	//
	// If not set, any namespace is allowed.
	Namespaces []string `json:"namespaces,omitempty"`
	// Optional. A list of negative match of namespaces.
	NotNamespaces []string `json:"notNamespaces,omitempty"`
	// Optional. A list of IP blocks, which matches to the "source.ip" attribute.
	// Single IP (e.g. "1.2.3.4") and CIDR (e.g. "1.2.3.0/24") are supported.
	//
	// If not set, any IP is allowed.
	IPBlocks []string `json:"ipBlocks,omitempty"`
	// Optional. A list of negative match of IP blocks.
	NotIPBlocks []string `json:"notIpBlocks,omitempty"`
}

Source specifies the source identities of a request. Fields in the source are ANDed together.

For example, the following source matches if the principal is "admin" or "dev" and the namespace is "prod" or "test" and the ip is not "1.2.3.4".

```yaml principals: ["admin", "dev"] namespaces: ["prod", "test"] not_ipblocks: ["1.2.3.4"] ```

func (*Source) DeepCopy 

func (in *Source) DeepCopy() *Source

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Source.

func (*Source) DeepCopyInto 

func (in *Source) DeepCopyInto(out *Source)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.