targetRefsPolicyTargetReference[]Optional. The targetRef specifies the gateway the policy should be -applied to. The targeted resource specified will determine which -workloads the policy applies to.
+Optional. The targetRefs specifies a list of resources the policy should be +applied to. The targeted resources specified will determine which workloads +the policy applies to.
Currently, the following resource attachment types are supported:
kind: Gateway with group: gateway.networking.k8s.io in the same namespace.kind: Service with "" in the same namespace. This type is only supported for waypoints.If not set, the policy is applied as defined by the selector. At most one of the selector and targetRefs can be set.
diff --git a/extensions/v1alpha1/wasm.proto b/extensions/v1alpha1/wasm.proto index ca860b5d..3c1720d2 100644 --- a/extensions/v1alpha1/wasm.proto +++ b/extensions/v1alpha1/wasm.proto @@ -250,12 +250,13 @@ message WasmPlugin { // $hide_from_docs istio.type.v1beta1.PolicyTargetReference targetRef = 15; - // Optional. The targetRef specifies the gateway the policy should be - // applied to. The targeted resource specified will determine which - // workloads the policy applies to. + // Optional. The targetRefs specifies a list of resources the policy should be + // applied to. The targeted resources specified will determine which workloads + // the policy applies to. // // Currently, the following resource attachment types are supported: // * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace. + // * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints. // // If not set, the policy is applied as defined by the selector. // At most one of the selector and targetRefs can be set. diff --git a/networking/v1alpha3/envoy_filter.pb.go b/networking/v1alpha3/envoy_filter.pb.go index 12d86c58..b52578d2 100644 --- a/networking/v1alpha3/envoy_filter.pb.go +++ b/networking/v1alpha3/envoy_filter.pb.go @@ -834,12 +834,13 @@ type EnvoyFilter struct { // in the config root namespace, it will be applied to all applicable // workloads in any namespace. WorkloadSelector *WorkloadSelector `protobuf:"bytes,3,opt,name=workload_selector,json=workloadSelector,proto3" json:"workload_selector,omitempty"` - // Optional. The targetRef specifies the gateway the policy should be - // applied to. The targeted resource specified will determine which - // workloads the policy applies to. + // Optional. The targetRefs specifies a list of resources the policy should be + // applied to. The targeted resources specified will determine which workloads + // the policy applies to. // // Currently, the following resource attachment types are supported: // * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace. + // * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints. // // If not set, the policy is applied as defined by the selector. // At most one of the selector and targetRefs can be set. diff --git a/networking/v1alpha3/envoy_filter.pb.html b/networking/v1alpha3/envoy_filter.pb.html index 62afad25..2abc80be 100644 --- a/networking/v1alpha3/envoy_filter.pb.html +++ b/networking/v1alpha3/envoy_filter.pb.html @@ -387,12 +387,13 @@ NotargetRefsPolicyTargetReference[]Optional. The targetRef specifies the gateway the policy should be -applied to. The targeted resource specified will determine which -workloads the policy applies to.
+Optional. The targetRefs specifies a list of resources the policy should be +applied to. The targeted resources specified will determine which workloads +the policy applies to.
Currently, the following resource attachment types are supported:
kind: Gateway with group: gateway.networking.k8s.io in the same namespace.kind: Service with "" in the same namespace. This type is only supported for waypoints.If not set, the policy is applied as defined by the selector. At most one of the selector and targetRefs can be set.
diff --git a/networking/v1alpha3/envoy_filter.proto b/networking/v1alpha3/envoy_filter.proto index 65ea51ca..ded85cf9 100644 --- a/networking/v1alpha3/envoy_filter.proto +++ b/networking/v1alpha3/envoy_filter.proto @@ -849,12 +849,13 @@ message EnvoyFilter { // workloads in any namespace. WorkloadSelector workload_selector = 3; - // Optional. The targetRef specifies the gateway the policy should be - // applied to. The targeted resource specified will determine which - // workloads the policy applies to. + // Optional. The targetRefs specifies a list of resources the policy should be + // applied to. The targeted resources specified will determine which workloads + // the policy applies to. // // Currently, the following resource attachment types are supported: // * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace. + // * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints. // // If not set, the policy is applied as defined by the selector. // At most one of the selector and targetRefs can be set. diff --git a/security/v1/authorization_policy.pb.go b/security/v1/authorization_policy.pb.go index e41f1771..fedd801c 100644 --- a/security/v1/authorization_policy.pb.go +++ b/security/v1/authorization_policy.pb.go @@ -381,12 +381,13 @@ type AuthorizationPolicy struct { Selector *v1beta1.WorkloadSelector `protobuf:"bytes,1,opt,name=selector,proto3" json:"selector,omitempty"` // $hide_from_docs TargetRef *v1beta1.PolicyTargetReference `protobuf:"bytes,5,opt,name=targetRef,proto3" json:"targetRef,omitempty"` - // Optional. The targetRef specifies the gateway the policy should be - // applied to. The targeted resource specified will determine which - // workloads the policy applies to. + // Optional. The targetRefs specifies a list of resources the policy should be + // applied to. The targeted resources specified will determine which workloads + // the policy applies to. // // Currently, the following resource attachment types are supported: // * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace. + // * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints. // // If not set, the policy is applied as defined by the selector. // At most one of the selector and targetRefs can be set. diff --git a/security/v1/authorization_policy.proto b/security/v1/authorization_policy.proto index 39243981..662606fc 100644 --- a/security/v1/authorization_policy.proto +++ b/security/v1/authorization_policy.proto @@ -272,12 +272,13 @@ message AuthorizationPolicy { // $hide_from_docs istio.type.v1beta1.PolicyTargetReference targetRef = 5; - // Optional. The targetRef specifies the gateway the policy should be - // applied to. The targeted resource specified will determine which - // workloads the policy applies to. + // Optional. The targetRefs specifies a list of resources the policy should be + // applied to. The targeted resources specified will determine which workloads + // the policy applies to. // // Currently, the following resource attachment types are supported: // * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace. + // * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints. // // If not set, the policy is applied as defined by the selector. // At most one of the selector and targetRefs can be set. diff --git a/security/v1/request_authentication.pb.go b/security/v1/request_authentication.pb.go index b80cdada..3c843efc 100644 --- a/security/v1/request_authentication.pb.go +++ b/security/v1/request_authentication.pb.go @@ -308,12 +308,13 @@ type RequestAuthentication struct { Selector *v1beta1.WorkloadSelector `protobuf:"bytes,1,opt,name=selector,proto3" json:"selector,omitempty"` // $hide_from_docs TargetRef *v1beta1.PolicyTargetReference `protobuf:"bytes,3,opt,name=targetRef,proto3" json:"targetRef,omitempty"` - // Optional. The targetRef specifies the gateway the policy should be - // applied to. The targeted resource specified will determine which - // workloads the policy applies to. + // Optional. The targetRefs specifies a list of resources the policy should be + // applied to. The targeted resources specified will determine which workloads + // the policy applies to. // // Currently, the following resource attachment types are supported: // * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace. + // * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints. // // If not set, the policy is applied as defined by the selector. // At most one of the selector and targetRefs can be set. diff --git a/security/v1/request_authentication.proto b/security/v1/request_authentication.proto index 55bea791..ef409203 100644 --- a/security/v1/request_authentication.proto +++ b/security/v1/request_authentication.proto @@ -250,12 +250,13 @@ message RequestAuthentication { // $hide_from_docs istio.type.v1beta1.PolicyTargetReference targetRef = 3; - // Optional. The targetRef specifies the gateway the policy should be - // applied to. The targeted resource specified will determine which - // workloads the policy applies to. + // Optional. The targetRefs specifies a list of resources the policy should be + // applied to. The targeted resources specified will determine which workloads + // the policy applies to. // // Currently, the following resource attachment types are supported: // * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace. + // * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints. // // If not set, the policy is applied as defined by the selector. // At most one of the selector and targetRefs can be set. diff --git a/security/v1beta1/authorization_policy.pb.go b/security/v1beta1/authorization_policy.pb.go index d9837d12..22358547 100644 --- a/security/v1beta1/authorization_policy.pb.go +++ b/security/v1beta1/authorization_policy.pb.go @@ -396,12 +396,13 @@ type AuthorizationPolicy struct { Selector *v1beta1.WorkloadSelector `protobuf:"bytes,1,opt,name=selector,proto3" json:"selector,omitempty"` // $hide_from_docs TargetRef *v1beta1.PolicyTargetReference `protobuf:"bytes,5,opt,name=targetRef,proto3" json:"targetRef,omitempty"` - // Optional. The targetRef specifies the gateway the policy should be - // applied to. The targeted resource specified will determine which - // workloads the policy applies to. + // Optional. The targetRefs specifies a list of resources the policy should be + // applied to. The targeted resources specified will determine which workloads + // the policy applies to. // // Currently, the following resource attachment types are supported: // * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace. + // * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints. // // If not set, the policy is applied as defined by the selector. // At most one of the selector and targetRefs can be set. diff --git a/security/v1beta1/authorization_policy.pb.html b/security/v1beta1/authorization_policy.pb.html index edac3f5a..cfe35835 100644 --- a/security/v1beta1/authorization_policy.pb.html +++ b/security/v1beta1/authorization_policy.pb.html @@ -228,12 +228,13 @@ NotargetRefsPolicyTargetReference[]Optional. The targetRef specifies the gateway the policy should be -applied to. The targeted resource specified will determine which -workloads the policy applies to.
+Optional. The targetRefs specifies a list of resources the policy should be +applied to. The targeted resources specified will determine which workloads +the policy applies to.
Currently, the following resource attachment types are supported:
kind: Gateway with group: gateway.networking.k8s.io in the same namespace.kind: Service with "" in the same namespace. This type is only supported for waypoints.If not set, the policy is applied as defined by the selector. At most one of the selector and targetRefs can be set.
diff --git a/security/v1beta1/authorization_policy.proto b/security/v1beta1/authorization_policy.proto index 0feaad66..2ae41d3f 100644 --- a/security/v1beta1/authorization_policy.proto +++ b/security/v1beta1/authorization_policy.proto @@ -287,12 +287,13 @@ message AuthorizationPolicy { // $hide_from_docs istio.type.v1beta1.PolicyTargetReference targetRef = 5; - // Optional. The targetRef specifies the gateway the policy should be - // applied to. The targeted resource specified will determine which - // workloads the policy applies to. + // Optional. The targetRefs specifies a list of resources the policy should be + // applied to. The targeted resources specified will determine which workloads + // the policy applies to. // // Currently, the following resource attachment types are supported: // * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace. + // * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints. // // If not set, the policy is applied as defined by the selector. // At most one of the selector and targetRefs can be set. diff --git a/security/v1beta1/request_authentication.pb.go b/security/v1beta1/request_authentication.pb.go index 04f8c5ed..8cbd0da1 100644 --- a/security/v1beta1/request_authentication.pb.go +++ b/security/v1beta1/request_authentication.pb.go @@ -318,12 +318,13 @@ type RequestAuthentication struct { Selector *v1beta1.WorkloadSelector `protobuf:"bytes,1,opt,name=selector,proto3" json:"selector,omitempty"` // $hide_from_docs TargetRef *v1beta1.PolicyTargetReference `protobuf:"bytes,3,opt,name=targetRef,proto3" json:"targetRef,omitempty"` - // Optional. The targetRef specifies the gateway the policy should be - // applied to. The targeted resource specified will determine which - // workloads the policy applies to. + // Optional. The targetRefs specifies a list of resources the policy should be + // applied to. The targeted resources specified will determine which workloads + // the policy applies to. // // Currently, the following resource attachment types are supported: // * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace. + // * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints. // // If not set, the policy is applied as defined by the selector. // At most one of the selector and targetRefs can be set. diff --git a/security/v1beta1/request_authentication.pb.html b/security/v1beta1/request_authentication.pb.html index 2e09d722..67f50a99 100644 --- a/security/v1beta1/request_authentication.pb.html +++ b/security/v1beta1/request_authentication.pb.html @@ -232,12 +232,13 @@ NotargetRefsPolicyTargetReference[]Optional. The targetRef specifies the gateway the policy should be -applied to. The targeted resource specified will determine which -workloads the policy applies to.
+Optional. The targetRefs specifies a list of resources the policy should be +applied to. The targeted resources specified will determine which workloads +the policy applies to.
Currently, the following resource attachment types are supported:
kind: Gateway with group: gateway.networking.k8s.io in the same namespace.kind: Service with "" in the same namespace. This type is only supported for waypoints.If not set, the policy is applied as defined by the selector. At most one of the selector and targetRefs can be set.
diff --git a/security/v1beta1/request_authentication.proto b/security/v1beta1/request_authentication.proto index f33df356..4969958b 100644 --- a/security/v1beta1/request_authentication.proto +++ b/security/v1beta1/request_authentication.proto @@ -260,12 +260,13 @@ message RequestAuthentication { // $hide_from_docs istio.type.v1beta1.PolicyTargetReference targetRef = 3; - // Optional. The targetRef specifies the gateway the policy should be - // applied to. The targeted resource specified will determine which - // workloads the policy applies to. + // Optional. The targetRefs specifies a list of resources the policy should be + // applied to. The targeted resources specified will determine which workloads + // the policy applies to. // // Currently, the following resource attachment types are supported: // * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace. + // * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints. // // If not set, the policy is applied as defined by the selector. // At most one of the selector and targetRefs can be set. diff --git a/telemetry/v1/telemetry.pb.go b/telemetry/v1/telemetry.pb.go index a5fd6305..69ed3009 100644 --- a/telemetry/v1/telemetry.pb.go +++ b/telemetry/v1/telemetry.pb.go @@ -545,12 +545,13 @@ type Telemetry struct { Selector *v1beta1.WorkloadSelector `protobuf:"bytes,1,opt,name=selector,proto3" json:"selector,omitempty"` // $hide_from_docs TargetRef *v1beta1.PolicyTargetReference `protobuf:"bytes,5,opt,name=targetRef,proto3" json:"targetRef,omitempty"` - // Optional. The targetRef specifies the gateway the policy should be - // applied to. The targeted resource specified will determine which - // workloads the policy applies to. + // Optional. The targetRefs specifies a list of resources the policy should be + // applied to. The targeted resources specified will determine which workloads + // the policy applies to. // // Currently, the following resource attachment types are supported: // * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace. + // * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints. // // If not set, the policy is applied as defined by the selector. // At most one of the selector and targetRefs can be set. diff --git a/telemetry/v1/telemetry.proto b/telemetry/v1/telemetry.proto index 5e76d8e2..97e98f02 100644 --- a/telemetry/v1/telemetry.proto +++ b/telemetry/v1/telemetry.proto @@ -257,12 +257,13 @@ message Telemetry { // $hide_from_docs istio.type.v1beta1.PolicyTargetReference targetRef = 5; - // Optional. The targetRef specifies the gateway the policy should be - // applied to. The targeted resource specified will determine which - // workloads the policy applies to. + // Optional. The targetRefs specifies a list of resources the policy should be + // applied to. The targeted resources specified will determine which workloads + // the policy applies to. // // Currently, the following resource attachment types are supported: // * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace. + // * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints. // // If not set, the policy is applied as defined by the selector. // At most one of the selector and targetRefs can be set. diff --git a/telemetry/v1alpha1/telemetry.pb.go b/telemetry/v1alpha1/telemetry.pb.go index 0e6b39c9..f936aaa7 100644 --- a/telemetry/v1alpha1/telemetry.pb.go +++ b/telemetry/v1alpha1/telemetry.pb.go @@ -560,12 +560,13 @@ type Telemetry struct { Selector *v1beta1.WorkloadSelector `protobuf:"bytes,1,opt,name=selector,proto3" json:"selector,omitempty"` // $hide_from_docs TargetRef *v1beta1.PolicyTargetReference `protobuf:"bytes,5,opt,name=targetRef,proto3" json:"targetRef,omitempty"` - // Optional. The targetRef specifies the gateway the policy should be - // applied to. The targeted resource specified will determine which - // workloads the policy applies to. + // Optional. The targetRefs specifies a list of resources the policy should be + // applied to. The targeted resources specified will determine which workloads + // the policy applies to. // // Currently, the following resource attachment types are supported: // * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace. + // * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints. // // If not set, the policy is applied as defined by the selector. // At most one of the selector and targetRefs can be set. diff --git a/telemetry/v1alpha1/telemetry.pb.html b/telemetry/v1alpha1/telemetry.pb.html index 57ae0546..64a1b54f 100644 --- a/telemetry/v1alpha1/telemetry.pb.html +++ b/telemetry/v1alpha1/telemetry.pb.html @@ -221,12 +221,13 @@ NotargetRefsPolicyTargetReference[]Optional. The targetRef specifies the gateway the policy should be -applied to. The targeted resource specified will determine which -workloads the policy applies to.
+Optional. The targetRefs specifies a list of resources the policy should be +applied to. The targeted resources specified will determine which workloads +the policy applies to.
Currently, the following resource attachment types are supported:
kind: Gateway with group: gateway.networking.k8s.io in the same namespace.kind: Service with "" in the same namespace. This type is only supported for waypoints.If not set, the policy is applied as defined by the selector. At most one of the selector and targetRefs can be set.
diff --git a/telemetry/v1alpha1/telemetry.proto b/telemetry/v1alpha1/telemetry.proto index 49773955..ff83cef6 100644 --- a/telemetry/v1alpha1/telemetry.proto +++ b/telemetry/v1alpha1/telemetry.proto @@ -272,12 +272,13 @@ message Telemetry { // $hide_from_docs istio.type.v1beta1.PolicyTargetReference targetRef = 5; - // Optional. The targetRef specifies the gateway the policy should be - // applied to. The targeted resource specified will determine which - // workloads the policy applies to. + // Optional. The targetRefs specifies a list of resources the policy should be + // applied to. The targeted resources specified will determine which workloads + // the policy applies to. // // Currently, the following resource attachment types are supported: // * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace. + // * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints. // // If not set, the policy is applied as defined by the selector. // At most one of the selector and targetRefs can be set. diff --git a/type/v1beta1/selector.pb.go b/type/v1beta1/selector.pb.go index 18566ca1..6ef08d55 100644 --- a/type/v1beta1/selector.pb.go +++ b/type/v1beta1/selector.pb.go @@ -213,10 +213,10 @@ func (x *PortSelector) GetNumber() uint32 { return 0 } -// PolicyTargetReference format as defined by [GEP-713](https://gateway-api.sigs.k8s.io/geps/gep-713/#policy-targetref-api). +// PolicyTargetReference format as defined by [GEP-2648](https://gateway-api.sigs.k8s.io/geps/gep-2648/#direct-policy-design-rules). // -// PolicyTargetReferences specifies the targeted resource which the policy -// can be applied to. It must only target a single resource at a time, but it +// PolicyTargetReference specifies the targeted resource which the policy +// should be applied to. It must only target a single resource at a time, but it // can be used to target larger resources such as Gateways that may apply to // multiple child resources. The PolicyTargetReference will be used instead of // a WorkloadSelector in the RequestAuthentication, AuthorizationPolicy, @@ -237,8 +237,8 @@ func (x *PortSelector) GetNumber() uint32 { // // spec: // -// targetRef: -// name: waypoint +// targetRefs: +// - name: waypoint // kind: Gateway // group: gateway.networking.k8s.io // action: DENY diff --git a/type/v1beta1/selector.pb.html b/type/v1beta1/selector.pb.html index 387eb86d..62da10a2 100644 --- a/type/v1beta1/selector.pb.html +++ b/type/v1beta1/selector.pb.html @@ -72,9 +72,9 @@ YesPolicyTargetReference format as defined by GEP-713.
-PolicyTargetReferences specifies the targeted resource which the policy -can be applied to. It must only target a single resource at a time, but it +
PolicyTargetReference format as defined by GEP-2648.
+PolicyTargetReference specifies the targeted resource which the policy +should be applied to. It must only target a single resource at a time, but it can be used to target larger resources such as Gateways that may apply to multiple child resources. The PolicyTargetReference will be used instead of a WorkloadSelector in the RequestAuthentication, AuthorizationPolicy, @@ -89,8 +89,8 @@ metadata: name: httpbin namespace: foo spec: - targetRef: - name: waypoint + targetRefs: + - name: waypoint kind: Gateway group: gateway.networking.k8s.io action: DENY diff --git a/type/v1beta1/selector.proto b/type/v1beta1/selector.proto index a605312c..36dcfc90 100644 --- a/type/v1beta1/selector.proto +++ b/type/v1beta1/selector.proto @@ -69,10 +69,10 @@ enum WorkloadMode { CLIENT_AND_SERVER = 3; } -// PolicyTargetReference format as defined by [GEP-713](https://gateway-api.sigs.k8s.io/geps/gep-713/#policy-targetref-api). +// PolicyTargetReference format as defined by [GEP-2648](https://gateway-api.sigs.k8s.io/geps/gep-2648/#direct-policy-design-rules). // -// PolicyTargetReferences specifies the targeted resource which the policy -// can be applied to. It must only target a single resource at a time, but it +// PolicyTargetReference specifies the targeted resource which the policy +// should be applied to. It must only target a single resource at a time, but it // can be used to target larger resources such as Gateways that may apply to // multiple child resources. The PolicyTargetReference will be used instead of // a WorkloadSelector in the RequestAuthentication, AuthorizationPolicy, @@ -90,8 +90,8 @@ enum WorkloadMode { // name: httpbin // namespace: foo // spec: -// targetRef: -// name: waypoint +// targetRefs: +// - name: waypoint // kind: Gateway // group: gateway.networking.k8s.io // action: DENY