istio
/
api
mirror of https://github.com/istio/api.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Adds Service Type to PolicyTargetReference API Docs (#3199) 

Previously, only a Gateway resource was defined as a supported
attachment type. This PR updates the API docs to include a Service
as a supported type and also fixes an incorrect link to Gateway API
documentation.

Signed-off-by: Daneyon Hansen <daneyon.hansen@solo.io>
This commit is contained in:
Daneyon Hansen 2024-05-15 19:29:11 -07:00 committed by GitHub
parent 4252b0d3c7
commit 2b5bf4c8a0
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
24 changed files with 99 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
extensions/v1alpha1/wasm.pb.go generated
View File

@ -555,12 +555,13 @@ type WasmPlugin struct {
Selector *v1beta1.WorkloadSelector `protobuf:"bytes,1,opt,name=selector,proto3" json:"selector,omitempty"`
// $hide_from_docs
TargetRef *v1beta1.PolicyTargetReference `protobuf:"bytes,15,opt,name=targetRef,proto3" json:"targetRef,omitempty"`
// Optional. The targetRef specifies the gateway the policy should be
// applied to. The targeted resource specified will determine which
// workloads the policy applies to.
// Optional. The targetRefs specifies a list of resources the policy should be
// applied to. The targeted resources specified will determine which workloads
// the policy applies to.
//
// Currently, the following resource attachment types are supported:
// * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
// * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints.
//
// If not set, the policy is applied as defined by the selector.
// At most one of the selector and targetRefs can be set.

7
extensions/v1alpha1/wasm.pb.html generated
View File

@ -203,12 +203,13 @@ No
<td><code>targetRefs</code></td>
<td><code><a href="https://istio.io/docs/reference/config/type/workload-selector.html#PolicyTargetReference">PolicyTargetReference[]</a></code></td>
<td>
<p>Optional. The targetRef specifies the gateway the policy should be
applied to. The targeted resource specified will determine which
workloads the policy applies to.</p>
<p>Optional. The targetRefs specifies a list of resources the policy should be
applied to. The targeted resources specified will determine which workloads
the policy applies to.</p>
<p>Currently, the following resource attachment types are supported:</p>
<ul>
<li><code>kind: Gateway</code> with <code>group: gateway.networking.k8s.io</code> in the same namespace.</li>
<li><code>kind: Service</code> with <code>&quot;&quot;</code> in the same namespace. This type is only supported for waypoints.</li>
</ul>
<p>If not set, the policy is applied as defined by the selector.
At most one of the selector and targetRefs can be set.</p>

7
extensions/v1alpha1/wasm.proto
View File

@ -250,12 +250,13 @@ message WasmPlugin {
// $hide_from_docs
istio.type.v1beta1.PolicyTargetReference targetRef = 15;
// Optional. The targetRef specifies the gateway the policy should be
// applied to. The targeted resource specified will determine which
// workloads the policy applies to.
// Optional. The targetRefs specifies a list of resources the policy should be
// applied to. The targeted resources specified will determine which workloads
// the policy applies to.
//
// Currently, the following resource attachment types are supported:
// * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
// * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints.
//
// If not set, the policy is applied as defined by the selector.
// At most one of the selector and targetRefs can be set.

7
networking/v1alpha3/envoy_filter.pb.go generated
View File

@ -834,12 +834,13 @@ type EnvoyFilter struct {
// in the config root namespace, it will be applied to all applicable
// workloads in any namespace.
WorkloadSelector *WorkloadSelector `protobuf:"bytes,3,opt,name=workload_selector,json=workloadSelector,proto3" json:"workload_selector,omitempty"`
// Optional. The targetRef specifies the gateway the policy should be
// applied to. The targeted resource specified will determine which
// workloads the policy applies to.
// Optional. The targetRefs specifies a list of resources the policy should be
// applied to. The targeted resources specified will determine which workloads
// the policy applies to.
//
// Currently, the following resource attachment types are supported:
// * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
// * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints.
//
// If not set, the policy is applied as defined by the selector.
// At most one of the selector and targetRefs can be set.

7
networking/v1alpha3/envoy_filter.pb.html generated
View File

@ -387,12 +387,13 @@ No
<td><code>targetRefs</code></td>
<td><code><a href="https://istio.io/docs/reference/config/type/workload-selector.html#PolicyTargetReference">PolicyTargetReference[]</a></code></td>
<td>
<p>Optional. The targetRef specifies the gateway the policy should be
applied to. The targeted resource specified will determine which
workloads the policy applies to.</p>
<p>Optional. The targetRefs specifies a list of resources the policy should be
applied to. The targeted resources specified will determine which workloads
the policy applies to.</p>
<p>Currently, the following resource attachment types are supported:</p>
<ul>
<li><code>kind: Gateway</code> with <code>group: gateway.networking.k8s.io</code> in the same namespace.</li>
<li><code>kind: Service</code> with <code>&quot;&quot;</code> in the same namespace. This type is only supported for waypoints.</li>
</ul>
<p>If not set, the policy is applied as defined by the selector.
At most one of the selector and targetRefs can be set.</p>

7
networking/v1alpha3/envoy_filter.proto
View File

@ -849,12 +849,13 @@ message EnvoyFilter {
// workloads in any namespace.
WorkloadSelector workload_selector = 3;
// Optional. The targetRef specifies the gateway the policy should be
// applied to. The targeted resource specified will determine which
// workloads the policy applies to.
// Optional. The targetRefs specifies a list of resources the policy should be
// applied to. The targeted resources specified will determine which workloads
// the policy applies to.
//
// Currently, the following resource attachment types are supported:
// * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
// * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints.
//
// If not set, the policy is applied as defined by the selector.
// At most one of the selector and targetRefs can be set.

7
security/v1/authorization_policy.pb.go generated
View File

@ -381,12 +381,13 @@ type AuthorizationPolicy struct {
Selector *v1beta1.WorkloadSelector `protobuf:"bytes,1,opt,name=selector,proto3" json:"selector,omitempty"`
// $hide_from_docs
TargetRef *v1beta1.PolicyTargetReference `protobuf:"bytes,5,opt,name=targetRef,proto3" json:"targetRef,omitempty"`
// Optional. The targetRef specifies the gateway the policy should be
// applied to. The targeted resource specified will determine which
// workloads the policy applies to.
// Optional. The targetRefs specifies a list of resources the policy should be
// applied to. The targeted resources specified will determine which workloads
// the policy applies to.
//
// Currently, the following resource attachment types are supported:
// * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
// * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints.
//
// If not set, the policy is applied as defined by the selector.
// At most one of the selector and targetRefs can be set.

7
security/v1/authorization_policy.proto
View File

@ -272,12 +272,13 @@ message AuthorizationPolicy {
// $hide_from_docs
istio.type.v1beta1.PolicyTargetReference targetRef = 5;
// Optional. The targetRef specifies the gateway the policy should be
// applied to. The targeted resource specified will determine which
// workloads the policy applies to.
// Optional. The targetRefs specifies a list of resources the policy should be
// applied to. The targeted resources specified will determine which workloads
// the policy applies to.
//
// Currently, the following resource attachment types are supported:
// * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
// * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints.
//
// If not set, the policy is applied as defined by the selector.
// At most one of the selector and targetRefs can be set.

7
security/v1/request_authentication.pb.go generated
View File

@ -308,12 +308,13 @@ type RequestAuthentication struct {
Selector *v1beta1.WorkloadSelector `protobuf:"bytes,1,opt,name=selector,proto3" json:"selector,omitempty"`
// $hide_from_docs
TargetRef *v1beta1.PolicyTargetReference `protobuf:"bytes,3,opt,name=targetRef,proto3" json:"targetRef,omitempty"`
// Optional. The targetRef specifies the gateway the policy should be
// applied to. The targeted resource specified will determine which
// workloads the policy applies to.
// Optional. The targetRefs specifies a list of resources the policy should be
// applied to. The targeted resources specified will determine which workloads
// the policy applies to.
//
// Currently, the following resource attachment types are supported:
// * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
// * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints.
//
// If not set, the policy is applied as defined by the selector.
// At most one of the selector and targetRefs can be set.

7
security/v1/request_authentication.proto
View File

@ -250,12 +250,13 @@ message RequestAuthentication {
// $hide_from_docs
istio.type.v1beta1.PolicyTargetReference targetRef = 3;
// Optional. The targetRef specifies the gateway the policy should be
// applied to. The targeted resource specified will determine which
// workloads the policy applies to.
// Optional. The targetRefs specifies a list of resources the policy should be
// applied to. The targeted resources specified will determine which workloads
// the policy applies to.
//
// Currently, the following resource attachment types are supported:
// * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
// * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints.
//
// If not set, the policy is applied as defined by the selector.
// At most one of the selector and targetRefs can be set.

7
security/v1beta1/authorization_policy.pb.go generated
View File

@ -396,12 +396,13 @@ type AuthorizationPolicy struct {
Selector *v1beta1.WorkloadSelector `protobuf:"bytes,1,opt,name=selector,proto3" json:"selector,omitempty"`
// $hide_from_docs
TargetRef *v1beta1.PolicyTargetReference `protobuf:"bytes,5,opt,name=targetRef,proto3" json:"targetRef,omitempty"`
// Optional. The targetRef specifies the gateway the policy should be
// applied to. The targeted resource specified will determine which
// workloads the policy applies to.
// Optional. The targetRefs specifies a list of resources the policy should be
// applied to. The targeted resources specified will determine which workloads
// the policy applies to.
//
// Currently, the following resource attachment types are supported:
// * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
// * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints.
//
// If not set, the policy is applied as defined by the selector.
// At most one of the selector and targetRefs can be set.

7
security/v1beta1/authorization_policy.pb.html generated
View File

@ -228,12 +228,13 @@ No
<td><code>targetRefs</code></td>
<td><code><a href="https://istio.io/docs/reference/config/type/workload-selector.html#PolicyTargetReference">PolicyTargetReference[]</a></code></td>
<td>
<p>Optional. The targetRef specifies the gateway the policy should be
applied to. The targeted resource specified will determine which
workloads the policy applies to.</p>
<p>Optional. The targetRefs specifies a list of resources the policy should be
applied to. The targeted resources specified will determine which workloads
the policy applies to.</p>
<p>Currently, the following resource attachment types are supported:</p>
<ul>
<li><code>kind: Gateway</code> with <code>group: gateway.networking.k8s.io</code> in the same namespace.</li>
<li><code>kind: Service</code> with <code>&quot;&quot;</code> in the same namespace. This type is only supported for waypoints.</li>
</ul>
<p>If not set, the policy is applied as defined by the selector.
At most one of the selector and targetRefs can be set.</p>

7
security/v1beta1/authorization_policy.proto
View File

@ -287,12 +287,13 @@ message AuthorizationPolicy {
// $hide_from_docs
istio.type.v1beta1.PolicyTargetReference targetRef = 5;
// Optional. The targetRef specifies the gateway the policy should be
// applied to. The targeted resource specified will determine which
// workloads the policy applies to.
// Optional. The targetRefs specifies a list of resources the policy should be
// applied to. The targeted resources specified will determine which workloads
// the policy applies to.
//
// Currently, the following resource attachment types are supported:
// * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
// * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints.
//
// If not set, the policy is applied as defined by the selector.
// At most one of the selector and targetRefs can be set.

7
security/v1beta1/request_authentication.pb.go generated
View File

@ -318,12 +318,13 @@ type RequestAuthentication struct {
Selector *v1beta1.WorkloadSelector `protobuf:"bytes,1,opt,name=selector,proto3" json:"selector,omitempty"`
// $hide_from_docs
TargetRef *v1beta1.PolicyTargetReference `protobuf:"bytes,3,opt,name=targetRef,proto3" json:"targetRef,omitempty"`
// Optional. The targetRef specifies the gateway the policy should be
// applied to. The targeted resource specified will determine which
// workloads the policy applies to.
// Optional. The targetRefs specifies a list of resources the policy should be
// applied to. The targeted resources specified will determine which workloads
// the policy applies to.
//
// Currently, the following resource attachment types are supported:
// * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
// * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints.
//
// If not set, the policy is applied as defined by the selector.
// At most one of the selector and targetRefs can be set.

7
security/v1beta1/request_authentication.pb.html generated
View File

@ -232,12 +232,13 @@ No
<td><code>targetRefs</code></td>
<td><code><a href="https://istio.io/docs/reference/config/type/workload-selector.html#PolicyTargetReference">PolicyTargetReference[]</a></code></td>
<td>
<p>Optional. The targetRef specifies the gateway the policy should be
applied to. The targeted resource specified will determine which
workloads the policy applies to.</p>
<p>Optional. The targetRefs specifies a list of resources the policy should be
applied to. The targeted resources specified will determine which workloads
the policy applies to.</p>
<p>Currently, the following resource attachment types are supported:</p>
<ul>
<li><code>kind: Gateway</code> with <code>group: gateway.networking.k8s.io</code> in the same namespace.</li>
<li><code>kind: Service</code> with <code>&quot;&quot;</code> in the same namespace. This type is only supported for waypoints.</li>
</ul>
<p>If not set, the policy is applied as defined by the selector.
At most one of the selector and targetRefs can be set.</p>

7
security/v1beta1/request_authentication.proto
View File

@ -260,12 +260,13 @@ message RequestAuthentication {
// $hide_from_docs
istio.type.v1beta1.PolicyTargetReference targetRef = 3;
// Optional. The targetRef specifies the gateway the policy should be
// applied to. The targeted resource specified will determine which
// workloads the policy applies to.
// Optional. The targetRefs specifies a list of resources the policy should be
// applied to. The targeted resources specified will determine which workloads
// the policy applies to.
//
// Currently, the following resource attachment types are supported:
// * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
// * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints.
//
// If not set, the policy is applied as defined by the selector.
// At most one of the selector and targetRefs can be set.

7
telemetry/v1/telemetry.pb.go generated
View File

@ -545,12 +545,13 @@ type Telemetry struct {
Selector *v1beta1.WorkloadSelector `protobuf:"bytes,1,opt,name=selector,proto3" json:"selector,omitempty"`
// $hide_from_docs
TargetRef *v1beta1.PolicyTargetReference `protobuf:"bytes,5,opt,name=targetRef,proto3" json:"targetRef,omitempty"`
// Optional. The targetRef specifies the gateway the policy should be
// applied to. The targeted resource specified will determine which
// workloads the policy applies to.
// Optional. The targetRefs specifies a list of resources the policy should be
// applied to. The targeted resources specified will determine which workloads
// the policy applies to.
//
// Currently, the following resource attachment types are supported:
// * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
// * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints.
//
// If not set, the policy is applied as defined by the selector.
// At most one of the selector and targetRefs can be set.

7
telemetry/v1/telemetry.proto
View File

@ -257,12 +257,13 @@ message Telemetry {
// $hide_from_docs
istio.type.v1beta1.PolicyTargetReference targetRef = 5;
// Optional. The targetRef specifies the gateway the policy should be
// applied to. The targeted resource specified will determine which
// workloads the policy applies to.
// Optional. The targetRefs specifies a list of resources the policy should be
// applied to. The targeted resources specified will determine which workloads
// the policy applies to.
//
// Currently, the following resource attachment types are supported:
// * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
// * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints.
//
// If not set, the policy is applied as defined by the selector.
// At most one of the selector and targetRefs can be set.

7
telemetry/v1alpha1/telemetry.pb.go generated
View File

@ -560,12 +560,13 @@ type Telemetry struct {
Selector *v1beta1.WorkloadSelector `protobuf:"bytes,1,opt,name=selector,proto3" json:"selector,omitempty"`
// $hide_from_docs
TargetRef *v1beta1.PolicyTargetReference `protobuf:"bytes,5,opt,name=targetRef,proto3" json:"targetRef,omitempty"`
// Optional. The targetRef specifies the gateway the policy should be
// applied to. The targeted resource specified will determine which
// workloads the policy applies to.
// Optional. The targetRefs specifies a list of resources the policy should be
// applied to. The targeted resources specified will determine which workloads
// the policy applies to.
//
// Currently, the following resource attachment types are supported:
// * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
// * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints.
//
// If not set, the policy is applied as defined by the selector.
// At most one of the selector and targetRefs can be set.

7
telemetry/v1alpha1/telemetry.pb.html generated
View File

@ -221,12 +221,13 @@ No
<td><code>targetRefs</code></td>
<td><code><a href="https://istio.io/docs/reference/config/type/workload-selector.html#PolicyTargetReference">PolicyTargetReference[]</a></code></td>
<td>
<p>Optional. The targetRef specifies the gateway the policy should be
applied to. The targeted resource specified will determine which
workloads the policy applies to.</p>
<p>Optional. The targetRefs specifies a list of resources the policy should be
applied to. The targeted resources specified will determine which workloads
the policy applies to.</p>
<p>Currently, the following resource attachment types are supported:</p>
<ul>
<li><code>kind: Gateway</code> with <code>group: gateway.networking.k8s.io</code> in the same namespace.</li>
<li><code>kind: Service</code> with <code>&quot;&quot;</code> in the same namespace. This type is only supported for waypoints.</li>
</ul>
<p>If not set, the policy is applied as defined by the selector.
At most one of the selector and targetRefs can be set.</p>

7
telemetry/v1alpha1/telemetry.proto
View File

@ -272,12 +272,13 @@ message Telemetry {
// $hide_from_docs
istio.type.v1beta1.PolicyTargetReference targetRef = 5;
// Optional. The targetRef specifies the gateway the policy should be
// applied to. The targeted resource specified will determine which
// workloads the policy applies to.
// Optional. The targetRefs specifies a list of resources the policy should be
// applied to. The targeted resources specified will determine which workloads
// the policy applies to.
//
// Currently, the following resource attachment types are supported:
// * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
// * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints.
//
// If not set, the policy is applied as defined by the selector.
// At most one of the selector and targetRefs can be set.

10
type/v1beta1/selector.pb.go generated
View File

@ -213,10 +213,10 @@ func (x *PortSelector) GetNumber() uint32 {
return 0
}
// PolicyTargetReference format as defined by [GEP-713](https://gateway-api.sigs.k8s.io/geps/gep-713/#policy-targetref-api).
// PolicyTargetReference format as defined by [GEP-2648](https://gateway-api.sigs.k8s.io/geps/gep-2648/#direct-policy-design-rules).
//
// PolicyTargetReferences specifies the targeted resource which the policy
// can be applied to. It must only target a single resource at a time, but it
// PolicyTargetReference specifies the targeted resource which the policy
// should be applied to. It must only target a single resource at a time, but it
// can be used to target larger resources such as Gateways that may apply to
// multiple child resources. The PolicyTargetReference will be used instead of
// a WorkloadSelector in the RequestAuthentication, AuthorizationPolicy,
@ -237,8 +237,8 @@ func (x *PortSelector) GetNumber() uint32 {
//
// spec:
//
// targetRef:
// name: waypoint
// targetRefs:
// - name: waypoint
// kind: Gateway
// group: gateway.networking.k8s.io
// action: DENY

10
type/v1beta1/selector.pb.html generated
View File

@ -72,9 +72,9 @@ Yes
</section>
<h2 id="PolicyTargetReference">PolicyTargetReference</h2>
<section>
<p>PolicyTargetReference format as defined by <a href="https://gateway-api.sigs.k8s.io/geps/gep-713/#policy-targetref-api">GEP-713</a>.</p>
<p>PolicyTargetReferences specifies the targeted resource which the policy
can be applied to. It must only target a single resource at a time, but it
<p>PolicyTargetReference format as defined by <a href="https://gateway-api.sigs.k8s.io/geps/gep-2648/#direct-policy-design-rules">GEP-2648</a>.</p>
<p>PolicyTargetReference specifies the targeted resource which the policy
should be applied to. It must only target a single resource at a time, but it
can be used to target larger resources such as Gateways that may apply to
multiple child resources. The PolicyTargetReference will be used instead of
a WorkloadSelector in the RequestAuthentication, AuthorizationPolicy,
@ -89,8 +89,8 @@ metadata:
name: httpbin
namespace: foo
spec:
targetRef:
name: waypoint
targetRefs:
- name: waypoint
kind: Gateway
group: gateway.networking.k8s.io
action: DENY

10
type/v1beta1/selector.proto
View File

@ -69,10 +69,10 @@ enum WorkloadMode {
CLIENT_AND_SERVER = 3;
}
// PolicyTargetReference format as defined by [GEP-713](https://gateway-api.sigs.k8s.io/geps/gep-713/#policy-targetref-api).
// PolicyTargetReference format as defined by [GEP-2648](https://gateway-api.sigs.k8s.io/geps/gep-2648/#direct-policy-design-rules).
//
// PolicyTargetReferences specifies the targeted resource which the policy
// can be applied to. It must only target a single resource at a time, but it
// PolicyTargetReference specifies the targeted resource which the policy
// should be applied to. It must only target a single resource at a time, but it
// can be used to target larger resources such as Gateways that may apply to
// multiple child resources. The PolicyTargetReference will be used instead of
// a WorkloadSelector in the RequestAuthentication, AuthorizationPolicy,
@ -90,8 +90,8 @@ enum WorkloadMode {
// name: httpbin
// namespace: foo
// spec:
// targetRef:
// name: waypoint
// targetRefs:
// - name: waypoint
// kind: Gateway
// group: gateway.networking.k8s.io
// action: DENY