istio: Index | Files

package auth

import ""

The auth package provides support for checking the authentication and authorization policy applied in the mesh. It aims to increase the debuggability and observability of auth policies. Note: this is still under active development and is not ready for real use.


Package Files

auth.go cluster.go listener.go upgrader.go util.go validator.go


const (
    RoleNotFound        = "serviceRoleNotFound: %q used by ServiceRoleBinding %q at namespace %q.\n"
    RoleNotUsed         = "serviceRoleNotUsed: ServiceRole %q at namespace %q.\n"
    PolicyValid         = "Authorization policy is valid.\n"
    RoleMissing         = "no ServiceRole found for validation"
    BindingMissing      = "no ServiceRoleBinding found for validation"
    ValidButNoRBACFound = "Valid (no Authorization policy found).\n"

func GetPolicyValidReport Uses

func GetPolicyValidReport() string

func GetRoleNotFoundReport Uses

func GetRoleNotFoundReport(roleName, bindingName, namespace string) string

func GetRoleNotUsedReport Uses

func GetRoleNotUsedReport(roleName, namespace string) string

func PrintParsedClusters Uses

func PrintParsedClusters(writer io.Writer, parsedClusters []*ParsedCluster, printAll bool)

func PrintParsedListeners Uses

func PrintParsedListeners(writer io.Writer, parsedListeners []*ParsedListener, printAll bool)

func StructToGoGoMessage Uses

func StructToGoGoMessage(pbst *structpb.Struct, out proto.Message) error

type Analyzer Uses

type Analyzer struct {
    // contains filtered or unexported fields

Analyzer that can be used to check authentication and authorization policy status.

func NewAnalyzer Uses

func NewAnalyzer(envoyConfig *configdump.Wrapper) (*Analyzer, error)

NewAnalyzer creates a new analyzer for a given pod based on its envoy config.

func (*Analyzer) PrintTLS Uses

func (a *Analyzer) PrintTLS(writer io.Writer, printAll bool)

PrintTLS checks the TLS/JWT/RBAC setting for the given envoy config stored in the analyzer.

type ParsedCluster Uses

type ParsedCluster struct {
    // contains filtered or unexported fields

func ParseCluster Uses

func ParseCluster(cluster *v2.Cluster) *ParsedCluster

type ParsedListener Uses

type ParsedListener struct {
    // contains filtered or unexported fields

func ParseListener Uses

func ParseListener(listener *v2.Listener) *ParsedListener

ParseListener parses the envoy listener config by extracting the auth related config.

type PolicyTypeToConfigs Uses

type PolicyTypeToConfigs map[string][]model.Config

PolicyTypeToConfigs maps policy type (e.g. service-role) to a list of its config.

type ServiceToWorkloadLabels Uses

type ServiceToWorkloadLabels map[string]WorkloadLabels

ServiceToWorkloadLabels maps the short service name to the workload labels that it's pointing to. This service is defined in same namespace as the ServiceRole that's using it.

type Upgrader Uses

type Upgrader struct {
    K8sClient                          *kubernetes.Clientset
    V1PolicyFiles                      []string
    ServiceFiles                       []string
    NamespaceToServiceToWorkloadLabels map[string]ServiceToWorkloadLabels
    AuthorizationPolicies              []model.Config
    ConvertedPolicies                  strings.Builder

func NewUpgrader Uses

func NewUpgrader(k8sClient *kubernetes.Clientset, v1PolicyFiles, serviceFiles []string) *Upgrader

func (*Upgrader) ConvertV1alpha1ToV1beta1 Uses

func (ug *Upgrader) ConvertV1alpha1ToV1beta1() error

ConvertV1alpha1ToV1beta1 converts RBAC v1alphal1 to v1beta1 for local policy files.

type Validator Uses

type Validator struct {
    PolicyFiles          []string
    RoleKeyToServiceRole map[string]model.Config

    Report strings.Builder
    // contains filtered or unexported fields

func (*Validator) CheckAndReport Uses

func (v *Validator) CheckAndReport() error

CheckAndReport checks for Istio authentication and authorization mis-usage.

func (*Validator) CheckAndReportRBAC Uses

func (v *Validator) CheckAndReportRBAC()

type WorkloadLabels Uses

type WorkloadLabels map[string]string

WorkloadLabels is the workload labels, for example, app: productpage.

Package auth imports 41 packages (graph) and is imported by 2 packages. Updated 2019-10-22. Refresh now. Tools for package owners.