api: istio.io/api/rbac/v1alpha1 Index | Files

package v1alpha1

import "istio.io/api/rbac/v1alpha1"

Index

Package Files

rbac.pb.go rbac_deepcopy.gen.go rbac_json.gen.go

Variables

var (
    ErrInvalidLengthRbac = fmt.Errorf("proto: negative length found during unmarshaling")
    ErrIntOverflowRbac   = fmt.Errorf("proto: integer overflow")
)
var (
    RbacMarshaler   = &github_com_gogo_protobuf_jsonpb.Marshaler{}
    RbacUnmarshaler = &github_com_gogo_protobuf_jsonpb.Unmarshaler{}
)
var EnforcementMode_name = map[int32]string{
    0:  "ENFORCED",
    1:  "PERMISSIVE",
}
var EnforcementMode_value = map[string]int32{
    "ENFORCED":   0,
    "PERMISSIVE": 1,
}
var RbacConfig_Mode_name = map[int32]string{
    0:  "OFF",
    1:  "ON",
    2:  "ON_WITH_INCLUSION",
    3:  "ON_WITH_EXCLUSION",
}
var RbacConfig_Mode_value = map[string]int32{
    "OFF":               0,
    "ON":                1,
    "ON_WITH_INCLUSION": 2,
    "ON_WITH_EXCLUSION": 3,
}

type AccessRule Uses

type AccessRule struct {
    // A list of service names.
    // Exact match, prefix match, and suffix match are supported for service names.
    // For example, the service name "bookstore.mtv.cluster.local" matches
    // "bookstore.mtv.cluster.local" (exact match), or "bookstore\*" (prefix match),
    // or "\*.mtv.cluster.local" (suffix match).
    // If set to ["\*"], it refers to all services in the namespace.
    Services []string `protobuf:"bytes,1,rep,name=services,proto3" json:"services,omitempty"`
    // $hide_from_docs
    // Optional. A list of HTTP hosts. This is matched against the HOST header in
    // a HTTP request. Exact match, prefix match and suffix match are supported.
    // For example, the host "test.abc.com" matches "test.abc.com" (exact match),
    // or "\*.abc.com" (prefix match), or "test.abc.\*" (suffix match).
    // If not specified, it matches to any host.
    // This field should not be set for TCP services. The policy will be ignored.
    Hosts []string `protobuf:"bytes,5,rep,name=hosts,proto3" json:"hosts,omitempty"`
    // $hide_from_docs
    // Optional. A list of HTTP hosts that must not be matched.
    NotHosts []string `protobuf:"bytes,6,rep,name=not_hosts,json=notHosts,proto3" json:"not_hosts,omitempty"`
    // Optional. A list of HTTP paths or gRPC methods.
    // gRPC methods must be presented as fully-qualified name in the form of
    // "/packageName.serviceName/methodName" and are case sensitive.
    // Exact match, prefix match, and suffix match are supported. For example,
    // the path "/books/review" matches "/books/review" (exact match),
    // or "/books/\*" (prefix match), or "\*/review" (suffix match).
    // If not specified, it matches to any path.
    // This field should not be set for TCP services. The policy will be ignored.
    Paths []string `protobuf:"bytes,2,rep,name=paths,proto3" json:"paths,omitempty"`
    // $hide_from_docs
    // Optional. A list of HTTP paths or gRPC methods that must not be matched.
    NotPaths []string `protobuf:"bytes,7,rep,name=not_paths,json=notPaths,proto3" json:"not_paths,omitempty"`
    // Optional. A list of HTTP methods (e.g., "GET", "POST").
    // If not specified or specified as "\*", it matches to any methods.
    // This field should not be set for TCP services. The policy will be ignored.
    // For gRPC services, only `POST` is allowed; other methods will result in denying services.
    Methods []string `protobuf:"bytes,3,rep,name=methods,proto3" json:"methods,omitempty"`
    // $hide_from_docs
    // Optional. A list of HTTP methods that must not be matched.
    // Note: It's an error to set methods and not_methods at the same time.
    NotMethods []string `protobuf:"bytes,8,rep,name=not_methods,json=notMethods,proto3" json:"not_methods,omitempty"`
    // $hide_from_docs
    // Optional. A list of port numbers of the request. If not specified, it matches
    // to any port number.
    // Note: It's an error to set ports and not_ports at the same time.
    Ports []int32 `protobuf:"varint,9,rep,packed,name=ports,proto3" json:"ports,omitempty"`
    // $hide_from_docs
    // Optional.  A list of port numbers that must not be matched.
    // Note: It's an error to set ports and not_ports at the same time.
    NotPorts []int32 `protobuf:"varint,10,rep,packed,name=not_ports,json=notPorts,proto3" json:"not_ports,omitempty"`
    // Optional. Extra constraints in the ServiceRole specification.
    Constraints          []*AccessRule_Constraint `protobuf:"bytes,4,rep,name=constraints,proto3" json:"constraints,omitempty"`
    XXX_NoUnkeyedLiteral struct{}                 `json:"-"`
    XXX_unrecognized     []byte                   `json:"-"`
    XXX_sizecache        int32                    `json:"-"`
}

AccessRule defines a permission to access a list of services.

func (*AccessRule) Descriptor Uses

func (*AccessRule) Descriptor() ([]byte, []int)

func (*AccessRule) GetConstraints Uses

func (m *AccessRule) GetConstraints() []*AccessRule_Constraint

func (*AccessRule) GetHosts Uses

func (m *AccessRule) GetHosts() []string

func (*AccessRule) GetMethods Uses

func (m *AccessRule) GetMethods() []string

func (*AccessRule) GetNotHosts Uses

func (m *AccessRule) GetNotHosts() []string

func (*AccessRule) GetNotMethods Uses

func (m *AccessRule) GetNotMethods() []string

func (*AccessRule) GetNotPaths Uses

func (m *AccessRule) GetNotPaths() []string

func (*AccessRule) GetNotPorts Uses

func (m *AccessRule) GetNotPorts() []int32

func (*AccessRule) GetPaths Uses

func (m *AccessRule) GetPaths() []string

func (*AccessRule) GetPorts Uses

func (m *AccessRule) GetPorts() []int32

func (*AccessRule) GetServices Uses

func (m *AccessRule) GetServices() []string

func (*AccessRule) Marshal Uses

func (m *AccessRule) Marshal() (dAtA []byte, err error)

func (*AccessRule) MarshalJSON Uses

func (this *AccessRule) MarshalJSON() ([]byte, error)

MarshalJSON is a custom marshaler for AccessRule

func (*AccessRule) MarshalTo Uses

func (m *AccessRule) MarshalTo(dAtA []byte) (int, error)

func (*AccessRule) MarshalToSizedBuffer Uses

func (m *AccessRule) MarshalToSizedBuffer(dAtA []byte) (int, error)

func (*AccessRule) ProtoMessage Uses

func (*AccessRule) ProtoMessage()

func (*AccessRule) Reset Uses

func (m *AccessRule) Reset()

func (*AccessRule) Size Uses

func (m *AccessRule) Size() (n int)

func (*AccessRule) String Uses

func (m *AccessRule) String() string

func (*AccessRule) Unmarshal Uses

func (m *AccessRule) Unmarshal(dAtA []byte) error

func (*AccessRule) UnmarshalJSON Uses

func (this *AccessRule) UnmarshalJSON(b []byte) error

UnmarshalJSON is a custom unmarshaler for AccessRule

func (*AccessRule) XXX_DiscardUnknown Uses

func (m *AccessRule) XXX_DiscardUnknown()

func (*AccessRule) XXX_Marshal Uses

func (m *AccessRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*AccessRule) XXX_Merge Uses

func (m *AccessRule) XXX_Merge(src proto.Message)

func (*AccessRule) XXX_Size Uses

func (m *AccessRule) XXX_Size() int

func (*AccessRule) XXX_Unmarshal Uses

func (m *AccessRule) XXX_Unmarshal(b []byte) error

type AccessRule_Constraint Uses

type AccessRule_Constraint struct {
    // Key of the constraint.
    Key string `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"`
    // List of valid values for the constraint.
    // Exact match, prefix match, and suffix match are supported.
    // For example, the value "v1alpha2" matches "v1alpha2" (exact match),
    // or "v1\*" (prefix match), or "\*alpha2" (suffix match).
    Values               []string `protobuf:"bytes,2,rep,name=values,proto3" json:"values,omitempty"`
    XXX_NoUnkeyedLiteral struct{} `json:"-"`
    XXX_unrecognized     []byte   `json:"-"`
    XXX_sizecache        int32    `json:"-"`
}

Definition of a custom constraint. The supported keys are listed in the "constraint and properties" page.

func (*AccessRule_Constraint) Descriptor Uses

func (*AccessRule_Constraint) Descriptor() ([]byte, []int)

func (*AccessRule_Constraint) GetKey Uses

func (m *AccessRule_Constraint) GetKey() string

func (*AccessRule_Constraint) GetValues Uses

func (m *AccessRule_Constraint) GetValues() []string

func (*AccessRule_Constraint) Marshal Uses

func (m *AccessRule_Constraint) Marshal() (dAtA []byte, err error)

func (*AccessRule_Constraint) MarshalJSON Uses

func (this *AccessRule_Constraint) MarshalJSON() ([]byte, error)

MarshalJSON is a custom marshaler for AccessRule_Constraint

func (*AccessRule_Constraint) MarshalTo Uses

func (m *AccessRule_Constraint) MarshalTo(dAtA []byte) (int, error)

func (*AccessRule_Constraint) MarshalToSizedBuffer Uses

func (m *AccessRule_Constraint) MarshalToSizedBuffer(dAtA []byte) (int, error)

func (*AccessRule_Constraint) ProtoMessage Uses

func (*AccessRule_Constraint) ProtoMessage()

func (*AccessRule_Constraint) Reset Uses

func (m *AccessRule_Constraint) Reset()

func (*AccessRule_Constraint) Size Uses

func (m *AccessRule_Constraint) Size() (n int)

func (*AccessRule_Constraint) String Uses

func (m *AccessRule_Constraint) String() string

func (*AccessRule_Constraint) Unmarshal Uses

func (m *AccessRule_Constraint) Unmarshal(dAtA []byte) error

func (*AccessRule_Constraint) UnmarshalJSON Uses

func (this *AccessRule_Constraint) UnmarshalJSON(b []byte) error

UnmarshalJSON is a custom unmarshaler for AccessRule_Constraint

func (*AccessRule_Constraint) XXX_DiscardUnknown Uses

func (m *AccessRule_Constraint) XXX_DiscardUnknown()

func (*AccessRule_Constraint) XXX_Marshal Uses

func (m *AccessRule_Constraint) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*AccessRule_Constraint) XXX_Merge Uses

func (m *AccessRule_Constraint) XXX_Merge(src proto.Message)

func (*AccessRule_Constraint) XXX_Size Uses

func (m *AccessRule_Constraint) XXX_Size() int

func (*AccessRule_Constraint) XXX_Unmarshal Uses

func (m *AccessRule_Constraint) XXX_Unmarshal(b []byte) error

type EnforcementMode Uses

type EnforcementMode int32

$hide_from_docs RBAC ServiceRoleBinding enforcement mode, used to verify new ServiceRoleBinding configs work as expected before rolling to production. RBAC engine only logs results from configs that are in permissive mode, and discards result before returning to the user.

const (
    // Policy in ENFORCED mode has impact on user experience.
    // Policy is in ENFORCED mode by default.
    EnforcementMode_ENFORCED EnforcementMode = 0
    // Policy in PERMISSIVE mode isn't enforced and has no impact on users.
    // RBAC engine run policies in PERMISSIVE mode and logs stats.
    EnforcementMode_PERMISSIVE EnforcementMode = 1
)

func (EnforcementMode) EnumDescriptor Uses

func (EnforcementMode) EnumDescriptor() ([]byte, []int)

func (EnforcementMode) String Uses

func (x EnforcementMode) String() string

type RbacConfig Uses

type RbacConfig struct {
    // Istio RBAC mode.
    Mode RbacConfig_Mode `protobuf:"varint,1,opt,name=mode,proto3,enum=istio.rbac.v1alpha1.RbacConfig_Mode" json:"mode,omitempty"`
    // A list of services or namespaces that should be enforced by Istio RBAC policies. Note: This field have
    // effect only when mode is ON_WITH_INCLUSION and will be ignored for any other modes.
    Inclusion *RbacConfig_Target `protobuf:"bytes,2,opt,name=inclusion,proto3" json:"inclusion,omitempty"`
    // A list of services or namespaces that should not be enforced by Istio RBAC policies. Note: This field have
    // effect only when mode is ON_WITH_EXCLUSION and will be ignored for any other modes.
    Exclusion *RbacConfig_Target `protobuf:"bytes,3,opt,name=exclusion,proto3" json:"exclusion,omitempty"`
    // $hide_from_docs
    // Indicates enforcement mode of the RbacConfig, in ENFORCED mode by default.
    // It's used to verify new RbacConfig work as expected before rolling to production.
    // When setting as PERMISSIVE, RBAC isn't enforced and has no impact on users.
    // RBAC engine run RbacConfig in PERMISSIVE mode and logs stats.
    // Invalid to set RbacConfig in PERMISSIVE and ServiceRoleBinding in ENFORCED mode.
    EnforcementMode      EnforcementMode `protobuf:"varint,4,opt,name=enforcement_mode,json=enforcementMode,proto3,enum=istio.rbac.v1alpha1.EnforcementMode" json:"enforcement_mode,omitempty"`
    XXX_NoUnkeyedLiteral struct{}        `json:"-"`
    XXX_unrecognized     []byte          `json:"-"`
    XXX_sizecache        int32           `json:"-"`
}

RbacConfig implements the ClusterRbacConfig Custom Resource Definition for controlling Istio RBAC behavior. The ClusterRbacConfig Custom Resource is a singleton where only one ClusterRbacConfig should be created globally in the mesh and the namespace should be the same to other Istio components, which usually is `istio-system`.

Below is an example of an `ClusterRbacConfig` resource called `istio-rbac-config` which enables Istio RBAC for all services in the default namespace.

“`yaml apiVersion: "rbac.istio.io/v1alpha1" kind: ClusterRbacConfig metadata:

name: default
namespace: istio-system

spec:

mode: ON_WITH_INCLUSION
inclusion:
  namespaces: [ "default" ]

“`

<!-- go code generation tags +kubetype-gen +kubetype-gen:groupVersion=rbac.istio.io/v1alpha1 +kubetype-gen:kubeType=RbacConfig +kubetype-gen:kubeType=ClusterRbacConfig +kubetype-gen:ClusterRbacConfig:tag=genclient:nonNamespaced +genclient +k8s:deepcopy-gen=true -->

func (*RbacConfig) DeepCopyInto Uses

func (in *RbacConfig) DeepCopyInto(out *RbacConfig)

DeepCopyInto supports using RbacConfig within kubernetes types, where deepcopy-gen is used.

func (*RbacConfig) Descriptor Uses

func (*RbacConfig) Descriptor() ([]byte, []int)

func (*RbacConfig) GetEnforcementMode Uses

func (m *RbacConfig) GetEnforcementMode() EnforcementMode

func (*RbacConfig) GetExclusion Uses

func (m *RbacConfig) GetExclusion() *RbacConfig_Target

func (*RbacConfig) GetInclusion Uses

func (m *RbacConfig) GetInclusion() *RbacConfig_Target

func (*RbacConfig) GetMode Uses

func (m *RbacConfig) GetMode() RbacConfig_Mode

func (*RbacConfig) Marshal Uses

func (m *RbacConfig) Marshal() (dAtA []byte, err error)

func (*RbacConfig) MarshalJSON Uses

func (this *RbacConfig) MarshalJSON() ([]byte, error)

MarshalJSON is a custom marshaler for RbacConfig

func (*RbacConfig) MarshalTo Uses

func (m *RbacConfig) MarshalTo(dAtA []byte) (int, error)

func (*RbacConfig) MarshalToSizedBuffer Uses

func (m *RbacConfig) MarshalToSizedBuffer(dAtA []byte) (int, error)

func (*RbacConfig) ProtoMessage Uses

func (*RbacConfig) ProtoMessage()

func (*RbacConfig) Reset Uses

func (m *RbacConfig) Reset()

func (*RbacConfig) Size Uses

func (m *RbacConfig) Size() (n int)

func (*RbacConfig) String Uses

func (m *RbacConfig) String() string

func (*RbacConfig) Unmarshal Uses

func (m *RbacConfig) Unmarshal(dAtA []byte) error

func (*RbacConfig) UnmarshalJSON Uses

func (this *RbacConfig) UnmarshalJSON(b []byte) error

UnmarshalJSON is a custom unmarshaler for RbacConfig

func (*RbacConfig) XXX_DiscardUnknown Uses

func (m *RbacConfig) XXX_DiscardUnknown()

func (*RbacConfig) XXX_Marshal Uses

func (m *RbacConfig) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*RbacConfig) XXX_Merge Uses

func (m *RbacConfig) XXX_Merge(src proto.Message)

func (*RbacConfig) XXX_Size Uses

func (m *RbacConfig) XXX_Size() int

func (*RbacConfig) XXX_Unmarshal Uses

func (m *RbacConfig) XXX_Unmarshal(b []byte) error

type RbacConfig_Mode Uses

type RbacConfig_Mode int32
const (
    // Disable Istio RBAC completely, Istio RBAC policies will not be enforced.
    RbacConfig_OFF RbacConfig_Mode = 0
    // Enable Istio RBAC for all services and namespaces. Note Istio RBAC is deny-by-default
    // which means all requests will be denied if it's not allowed by RBAC rules.
    RbacConfig_ON RbacConfig_Mode = 1
    // Enable Istio RBAC only for services and namespaces specified in the inclusion field. Any other
    // services and namespaces not in the inclusion field will not be enforced by Istio RBAC policies.
    RbacConfig_ON_WITH_INCLUSION RbacConfig_Mode = 2
    // Enable Istio RBAC for all services and namespaces except those specified in the exclusion field. Any other
    // services and namespaces not in the exclusion field will be enforced by Istio RBAC policies.
    RbacConfig_ON_WITH_EXCLUSION RbacConfig_Mode = 3
)

func (RbacConfig_Mode) EnumDescriptor Uses

func (RbacConfig_Mode) EnumDescriptor() ([]byte, []int)

func (RbacConfig_Mode) String Uses

func (x RbacConfig_Mode) String() string

type RbacConfig_Target Uses

type RbacConfig_Target struct {
    // A list of services.
    Services []string `protobuf:"bytes,1,rep,name=services,proto3" json:"services,omitempty"`
    // A list of namespaces.
    Namespaces           []string `protobuf:"bytes,2,rep,name=namespaces,proto3" json:"namespaces,omitempty"`
    XXX_NoUnkeyedLiteral struct{} `json:"-"`
    XXX_unrecognized     []byte   `json:"-"`
    XXX_sizecache        int32    `json:"-"`
}

Target defines a list of services or namespaces.

func (*RbacConfig_Target) Descriptor Uses

func (*RbacConfig_Target) Descriptor() ([]byte, []int)

func (*RbacConfig_Target) GetNamespaces Uses

func (m *RbacConfig_Target) GetNamespaces() []string

func (*RbacConfig_Target) GetServices Uses

func (m *RbacConfig_Target) GetServices() []string

func (*RbacConfig_Target) Marshal Uses

func (m *RbacConfig_Target) Marshal() (dAtA []byte, err error)

func (*RbacConfig_Target) MarshalJSON Uses

func (this *RbacConfig_Target) MarshalJSON() ([]byte, error)

MarshalJSON is a custom marshaler for RbacConfig_Target

func (*RbacConfig_Target) MarshalTo Uses

func (m *RbacConfig_Target) MarshalTo(dAtA []byte) (int, error)

func (*RbacConfig_Target) MarshalToSizedBuffer Uses

func (m *RbacConfig_Target) MarshalToSizedBuffer(dAtA []byte) (int, error)

func (*RbacConfig_Target) ProtoMessage Uses

func (*RbacConfig_Target) ProtoMessage()

func (*RbacConfig_Target) Reset Uses

func (m *RbacConfig_Target) Reset()

func (*RbacConfig_Target) Size Uses

func (m *RbacConfig_Target) Size() (n int)

func (*RbacConfig_Target) String Uses

func (m *RbacConfig_Target) String() string

func (*RbacConfig_Target) Unmarshal Uses

func (m *RbacConfig_Target) Unmarshal(dAtA []byte) error

func (*RbacConfig_Target) UnmarshalJSON Uses

func (this *RbacConfig_Target) UnmarshalJSON(b []byte) error

UnmarshalJSON is a custom unmarshaler for RbacConfig_Target

func (*RbacConfig_Target) XXX_DiscardUnknown Uses

func (m *RbacConfig_Target) XXX_DiscardUnknown()

func (*RbacConfig_Target) XXX_Marshal Uses

func (m *RbacConfig_Target) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*RbacConfig_Target) XXX_Merge Uses

func (m *RbacConfig_Target) XXX_Merge(src proto.Message)

func (*RbacConfig_Target) XXX_Size Uses

func (m *RbacConfig_Target) XXX_Size() int

func (*RbacConfig_Target) XXX_Unmarshal Uses

func (m *RbacConfig_Target) XXX_Unmarshal(b []byte) error

type RoleRef Uses

type RoleRef struct {
    // The type of the role being referenced.
    // Currently, "ServiceRole" is the only supported value for "kind".
    Kind string `protobuf:"bytes,1,opt,name=kind,proto3" json:"kind,omitempty"`
    // The name of the ServiceRole object being referenced.
    // The ServiceRole object must be in the same namespace as the ServiceRoleBinding object.
    Name                 string   `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"`
    XXX_NoUnkeyedLiteral struct{} `json:"-"`
    XXX_unrecognized     []byte   `json:"-"`
    XXX_sizecache        int32    `json:"-"`
}

RoleRef refers to a role object.

func (*RoleRef) Descriptor Uses

func (*RoleRef) Descriptor() ([]byte, []int)

func (*RoleRef) GetKind Uses

func (m *RoleRef) GetKind() string

func (*RoleRef) GetName Uses

func (m *RoleRef) GetName() string

func (*RoleRef) Marshal Uses

func (m *RoleRef) Marshal() (dAtA []byte, err error)

func (*RoleRef) MarshalJSON Uses

func (this *RoleRef) MarshalJSON() ([]byte, error)

MarshalJSON is a custom marshaler for RoleRef

func (*RoleRef) MarshalTo Uses

func (m *RoleRef) MarshalTo(dAtA []byte) (int, error)

func (*RoleRef) MarshalToSizedBuffer Uses

func (m *RoleRef) MarshalToSizedBuffer(dAtA []byte) (int, error)

func (*RoleRef) ProtoMessage Uses

func (*RoleRef) ProtoMessage()

func (*RoleRef) Reset Uses

func (m *RoleRef) Reset()

func (*RoleRef) Size Uses

func (m *RoleRef) Size() (n int)

func (*RoleRef) String Uses

func (m *RoleRef) String() string

func (*RoleRef) Unmarshal Uses

func (m *RoleRef) Unmarshal(dAtA []byte) error

func (*RoleRef) UnmarshalJSON Uses

func (this *RoleRef) UnmarshalJSON(b []byte) error

UnmarshalJSON is a custom unmarshaler for RoleRef

func (*RoleRef) XXX_DiscardUnknown Uses

func (m *RoleRef) XXX_DiscardUnknown()

func (*RoleRef) XXX_Marshal Uses

func (m *RoleRef) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*RoleRef) XXX_Merge Uses

func (m *RoleRef) XXX_Merge(src proto.Message)

func (*RoleRef) XXX_Size Uses

func (m *RoleRef) XXX_Size() int

func (*RoleRef) XXX_Unmarshal Uses

func (m *RoleRef) XXX_Unmarshal(b []byte) error

type ServiceRole Uses

type ServiceRole struct {
    // The set of access rules (permissions) that the role has.
    Rules                []*AccessRule `protobuf:"bytes,1,rep,name=rules,proto3" json:"rules,omitempty"`
    XXX_NoUnkeyedLiteral struct{}      `json:"-"`
    XXX_unrecognized     []byte        `json:"-"`
    XXX_sizecache        int32         `json:"-"`
}

ServiceRole specification contains a list of access rules (permissions).

<!-- go code generation tags +kubetype-gen +kubetype-gen:groupVersion=rbac.istio.io/v1alpha1 +genclient +k8s:deepcopy-gen=true -->

func (*ServiceRole) DeepCopyInto Uses

func (in *ServiceRole) DeepCopyInto(out *ServiceRole)

DeepCopyInto supports using ServiceRole within kubernetes types, where deepcopy-gen is used.

func (*ServiceRole) Descriptor Uses

func (*ServiceRole) Descriptor() ([]byte, []int)

func (*ServiceRole) GetRules Uses

func (m *ServiceRole) GetRules() []*AccessRule

func (*ServiceRole) Marshal Uses

func (m *ServiceRole) Marshal() (dAtA []byte, err error)

func (*ServiceRole) MarshalJSON Uses

func (this *ServiceRole) MarshalJSON() ([]byte, error)

MarshalJSON is a custom marshaler for ServiceRole

func (*ServiceRole) MarshalTo Uses

func (m *ServiceRole) MarshalTo(dAtA []byte) (int, error)

func (*ServiceRole) MarshalToSizedBuffer Uses

func (m *ServiceRole) MarshalToSizedBuffer(dAtA []byte) (int, error)

func (*ServiceRole) ProtoMessage Uses

func (*ServiceRole) ProtoMessage()

func (*ServiceRole) Reset Uses

func (m *ServiceRole) Reset()

func (*ServiceRole) Size Uses

func (m *ServiceRole) Size() (n int)

func (*ServiceRole) String Uses

func (m *ServiceRole) String() string

func (*ServiceRole) Unmarshal Uses

func (m *ServiceRole) Unmarshal(dAtA []byte) error

func (*ServiceRole) UnmarshalJSON Uses

func (this *ServiceRole) UnmarshalJSON(b []byte) error

UnmarshalJSON is a custom unmarshaler for ServiceRole

func (*ServiceRole) XXX_DiscardUnknown Uses

func (m *ServiceRole) XXX_DiscardUnknown()

func (*ServiceRole) XXX_Marshal Uses

func (m *ServiceRole) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*ServiceRole) XXX_Merge Uses

func (m *ServiceRole) XXX_Merge(src proto.Message)

func (*ServiceRole) XXX_Size Uses

func (m *ServiceRole) XXX_Size() int

func (*ServiceRole) XXX_Unmarshal Uses

func (m *ServiceRole) XXX_Unmarshal(b []byte) error

type ServiceRoleBinding Uses

type ServiceRoleBinding struct {
    // List of subjects that are assigned the ServiceRole object.
    Subjects []*Subject `protobuf:"bytes,1,rep,name=subjects,proto3" json:"subjects,omitempty"`
    // Reference to the ServiceRole object.
    RoleRef *RoleRef `protobuf:"bytes,2,opt,name=roleRef,proto3" json:"roleRef,omitempty"`
    // $hide_from_docs
    // Indicates enforcement mode of the ServiceRoleBinding.
    Mode EnforcementMode `protobuf:"varint,3,opt,name=mode,proto3,enum=istio.rbac.v1alpha1.EnforcementMode" json:"mode,omitempty"`
    // $hide_from_docs
    // Inline role definition. An inline role is a role that is defined inside an
    // authorization policy, instead of explicitly defined in a ServiceRole object.
    // Inline roles can be used for the role definitions that are not intended to
    // be reused in other bindings, while explicit roles are reusable. Both inline
    // roles (defined in "actions" field) and explicit roles (defined in ServiceRole)
    // are supported. Users should use only one of them in a single binding.
    // For example, the following "product-frontend" AuthorizationPolicy allows "frontend"
    // service to view "product" service on "/info" path.
    // ```yaml
    // apiVersion: "rbac.istio.io/v1alpha1"
    // kind: AuthorizationPolicy
    // metadata:
    //  name: product-frontend
    //  namespace: ns1
    // spec:
    //  selector:
    //    labels:
    //      app: product
    //  allow:
    //  - subjects:
    //    - names: ["cluster.local/ns/default/sa/frontend"]
    //    actions:
    //    - paths: ["/info"]
    //      methods: ["GET"]
    // The set of access rules (permissions) that the role has.
    Actions []*AccessRule `protobuf:"bytes,4,rep,name=actions,proto3" json:"actions,omitempty"`
    // $hide_from_docs
    // A `role` inside a ServiceRoleBinding refers to the ServiceRole that this
    // ServiceRoleBinding binds to. A ServiceRoleBinding can bind to a ServiceRole
    // in the same namespace or the root namespace. A ServiceRole in the root namespace
    // represents a mesh global ServiceRole.
    // The value of `role` is the name of the ServiceRole, and it can start with or without a forward slash ("/").
    // When a `role` starts with "/", e.g. "/service-viewer", it means that this ServiceRoleBinding
    // refers to the ServiceRole in the configurable Istio root namespace.
    // When a `role` starts without "/", this ServiceRoleBinding refers to the ServiceRole in the
    // same namespace as the AuthorizationPolicy's, which contains said ServiceRoleBinding.
    Role                 string   `protobuf:"bytes,5,opt,name=role,proto3" json:"role,omitempty"`
    XXX_NoUnkeyedLiteral struct{} `json:"-"`
    XXX_unrecognized     []byte   `json:"-"`
    XXX_sizecache        int32    `json:"-"`
}

ServiceRoleBinding assigns a ServiceRole to a list of subjects.

<!-- go code generation tags +kubetype-gen +kubetype-gen:groupVersion=rbac.istio.io/v1alpha1 +genclient +k8s:deepcopy-gen=true -->

func (*ServiceRoleBinding) DeepCopyInto Uses

func (in *ServiceRoleBinding) DeepCopyInto(out *ServiceRoleBinding)

DeepCopyInto supports using ServiceRoleBinding within kubernetes types, where deepcopy-gen is used.

func (*ServiceRoleBinding) Descriptor Uses

func (*ServiceRoleBinding) Descriptor() ([]byte, []int)

func (*ServiceRoleBinding) GetActions Uses

func (m *ServiceRoleBinding) GetActions() []*AccessRule

func (*ServiceRoleBinding) GetMode Uses

func (m *ServiceRoleBinding) GetMode() EnforcementMode

func (*ServiceRoleBinding) GetRole Uses

func (m *ServiceRoleBinding) GetRole() string

func (*ServiceRoleBinding) GetRoleRef Uses

func (m *ServiceRoleBinding) GetRoleRef() *RoleRef

func (*ServiceRoleBinding) GetSubjects Uses

func (m *ServiceRoleBinding) GetSubjects() []*Subject

func (*ServiceRoleBinding) Marshal Uses

func (m *ServiceRoleBinding) Marshal() (dAtA []byte, err error)

func (*ServiceRoleBinding) MarshalJSON Uses

func (this *ServiceRoleBinding) MarshalJSON() ([]byte, error)

MarshalJSON is a custom marshaler for ServiceRoleBinding

func (*ServiceRoleBinding) MarshalTo Uses

func (m *ServiceRoleBinding) MarshalTo(dAtA []byte) (int, error)

func (*ServiceRoleBinding) MarshalToSizedBuffer Uses

func (m *ServiceRoleBinding) MarshalToSizedBuffer(dAtA []byte) (int, error)

func (*ServiceRoleBinding) ProtoMessage Uses

func (*ServiceRoleBinding) ProtoMessage()

func (*ServiceRoleBinding) Reset Uses

func (m *ServiceRoleBinding) Reset()

func (*ServiceRoleBinding) Size Uses

func (m *ServiceRoleBinding) Size() (n int)

func (*ServiceRoleBinding) String Uses

func (m *ServiceRoleBinding) String() string

func (*ServiceRoleBinding) Unmarshal Uses

func (m *ServiceRoleBinding) Unmarshal(dAtA []byte) error

func (*ServiceRoleBinding) UnmarshalJSON Uses

func (this *ServiceRoleBinding) UnmarshalJSON(b []byte) error

UnmarshalJSON is a custom unmarshaler for ServiceRoleBinding

func (*ServiceRoleBinding) XXX_DiscardUnknown Uses

func (m *ServiceRoleBinding) XXX_DiscardUnknown()

func (*ServiceRoleBinding) XXX_Marshal Uses

func (m *ServiceRoleBinding) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*ServiceRoleBinding) XXX_Merge Uses

func (m *ServiceRoleBinding) XXX_Merge(src proto.Message)

func (*ServiceRoleBinding) XXX_Size Uses

func (m *ServiceRoleBinding) XXX_Size() int

func (*ServiceRoleBinding) XXX_Unmarshal Uses

func (m *ServiceRoleBinding) XXX_Unmarshal(b []byte) error

type Subject Uses

type Subject struct {
    // Optional. The user name/ID that the subject represents.
    User string `protobuf:"bytes,1,opt,name=user,proto3" json:"user,omitempty"`
    // $hide_from_docs
    // Optional. A list of subject names. This is matched to the
    // `source.principal` attribute. If one of subject names is "\*", it matches to a subject with any name.
    // Prefix and suffix matches are supported.
    Names []string `protobuf:"bytes,4,rep,name=names,proto3" json:"names,omitempty"`
    // $hide_from_docs
    // Optional. A list of subject names that must not be matched.
    NotNames []string `protobuf:"bytes,5,rep,name=not_names,json=notNames,proto3" json:"not_names,omitempty"`
    // $hide_from_docs
    // Optional. The group that the subject belongs to.
    // Deprecated. Use groups and not_groups instead.
    Group string `protobuf:"bytes,2,opt,name=group,proto3" json:"group,omitempty"` // Deprecated: Do not use.
    // $hide_from_docs
    // Optional. A list of groups that the subject represents. This is matched to the
    // `request.auth.claims[groups]` attribute. If not specified, it applies to any groups.
    Groups []string `protobuf:"bytes,6,rep,name=groups,proto3" json:"groups,omitempty"`
    // $hide_from_docs
    // Optional. A list of groups that must not be matched.
    NotGroups []string `protobuf:"bytes,7,rep,name=not_groups,json=notGroups,proto3" json:"not_groups,omitempty"`
    // $hide_from_docs
    // Optional. A list of namespaces that the subject represents. This is matched to
    // the `source.namespace` attribute. If not specified, it applies to any namespaces.
    Namespaces []string `protobuf:"bytes,8,rep,name=namespaces,proto3" json:"namespaces,omitempty"`
    // $hide_from_docs
    // Optional. A list of namespaces that must not be matched.
    NotNamespaces []string `protobuf:"bytes,9,rep,name=not_namespaces,json=notNamespaces,proto3" json:"not_namespaces,omitempty"`
    // $hide_from_docs
    // Optional. A list of IP address or CIDR ranges that the subject represents.
    // E.g. 192.168.100.2 or 10.1.0.0/16. If not specified, it applies to any IP addresses.
    Ips []string `protobuf:"bytes,10,rep,name=ips,proto3" json:"ips,omitempty"`
    // $hide_from_docs
    // Optional. A list of IP addresses or CIDR ranges that must not be matched.
    NotIps []string `protobuf:"bytes,11,rep,name=not_ips,json=notIps,proto3" json:"not_ips,omitempty"`
    // Optional. The set of properties that identify the subject.
    Properties           map[string]string `protobuf:"bytes,3,rep,name=properties,proto3" json:"properties,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
    XXX_NoUnkeyedLiteral struct{}          `json:"-"`
    XXX_unrecognized     []byte            `json:"-"`
    XXX_sizecache        int32             `json:"-"`
}

Subject defines an identity. The identity is either a user or identified by a set of `properties`. The supported keys in `properties` are listed in "constraint and properties" page.

func (*Subject) Descriptor Uses

func (*Subject) Descriptor() ([]byte, []int)

func (*Subject) GetGroup Uses

func (m *Subject) GetGroup() string

Deprecated: Do not use.

func (*Subject) GetGroups Uses

func (m *Subject) GetGroups() []string

func (*Subject) GetIps Uses

func (m *Subject) GetIps() []string

func (*Subject) GetNames Uses

func (m *Subject) GetNames() []string

func (*Subject) GetNamespaces Uses

func (m *Subject) GetNamespaces() []string

func (*Subject) GetNotGroups Uses

func (m *Subject) GetNotGroups() []string

func (*Subject) GetNotIps Uses

func (m *Subject) GetNotIps() []string

func (*Subject) GetNotNames Uses

func (m *Subject) GetNotNames() []string

func (*Subject) GetNotNamespaces Uses

func (m *Subject) GetNotNamespaces() []string

func (*Subject) GetProperties Uses

func (m *Subject) GetProperties() map[string]string

func (*Subject) GetUser Uses

func (m *Subject) GetUser() string

func (*Subject) Marshal Uses

func (m *Subject) Marshal() (dAtA []byte, err error)

func (*Subject) MarshalJSON Uses

func (this *Subject) MarshalJSON() ([]byte, error)

MarshalJSON is a custom marshaler for Subject

func (*Subject) MarshalTo Uses

func (m *Subject) MarshalTo(dAtA []byte) (int, error)

func (*Subject) MarshalToSizedBuffer Uses

func (m *Subject) MarshalToSizedBuffer(dAtA []byte) (int, error)

func (*Subject) ProtoMessage Uses

func (*Subject) ProtoMessage()

func (*Subject) Reset Uses

func (m *Subject) Reset()

func (*Subject) Size Uses

func (m *Subject) Size() (n int)

func (*Subject) String Uses

func (m *Subject) String() string

func (*Subject) Unmarshal Uses

func (m *Subject) Unmarshal(dAtA []byte) error

func (*Subject) UnmarshalJSON Uses

func (this *Subject) UnmarshalJSON(b []byte) error

UnmarshalJSON is a custom unmarshaler for Subject

func (*Subject) XXX_DiscardUnknown Uses

func (m *Subject) XXX_DiscardUnknown()

func (*Subject) XXX_Marshal Uses

func (m *Subject) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*Subject) XXX_Merge Uses

func (m *Subject) XXX_Merge(src proto.Message)

func (*Subject) XXX_Size Uses

func (m *Subject) XXX_Size() int

func (*Subject) XXX_Unmarshal Uses

func (m *Subject) XXX_Unmarshal(b []byte) error

Package v1alpha1 imports 8 packages (graph) and is imported by 19 packages. Updated 2019-11-13. Refresh now. Tools for package owners.