istio
/
api
mirror of https://github.com/istio/api.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

PeerAuthentication Graduation to v1 (#3112) 

* bump peer auth to v1

Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>

* update sync

Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>

* Add release notes

Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>

* run make gen

Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>

* Fix release notes

Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>

* Update release notes

Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>

* Update release notes

Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>

* make gen

Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>

* fix gen-check

Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>

---------

Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>
This commit is contained in:
Whitney Griffith 2024-03-13 19:19:34 -04:00 committed by GitHub
parent c6ba867f73
commit 339eb52daa
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
8 changed files with 811 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
kubernetes/customresourcedefinitions.gen.yaml generated
View File

@ -8056,6 +8056,79 @@ spec:
singular: peerauthentication
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: Defines the mTLS mode used for peer authentication.
jsonPath: .spec.mtls.mode
name: Mode
type: string
- description: 'CreationTimestamp is a timestamp representing the server time
when this object was created. It is not guaranteed to be set in happens-before
order across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1
schema:
openAPIV3Schema:
properties:
spec:
description: 'Peer authentication configuration for workloads. See more
details at: https://istio.io/docs/reference/config/security/peer_authentication.html'
properties:
mtls:
description: Mutual TLS settings for workload.
properties:
mode:
description: |-
Defines the mTLS mode used for peer authentication.
Valid Options: DISABLE, PERMISSIVE, STRICT
enum:
- UNSET
- DISABLE
- PERMISSIVE
- STRICT
type: string
type: object
portLevelMtls:
additionalProperties:
properties:
mode:
description: |-
Defines the mTLS mode used for peer authentication.
Valid Options: DISABLE, PERMISSIVE, STRICT
enum:
- UNSET
- DISABLE
- PERMISSIVE
- STRICT
type: string
type: object
description: Port specific mutual TLS settings.
type: object
selector:
description: The selector determines the workloads to apply the PeerAuthentication
on.
properties:
matchLabels:
additionalProperties:
type: string
description: One or more labels that indicate a specific set of
pods/VMs on which a policy should be applied.
type: object
type: object
type: object
status:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: false
subresources:
status: {}
- additionalPrinterColumns:
- description: Defines the mTLS mode used for peer authentication.
jsonPath: .spec.mtls.mode

6
releasenotes/notes/promote-peer-auth-v1.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: release-notes/v2
kind: feature
area: security
releaseNotes:
- |
**Promoted** PeerAuthentication API to v1.

476
security/v1/peer_authentication.pb.go generated Normal file
View File

@ -0,0 +1,476 @@
// Copyright 2020 Istio Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.33.0
// protoc (unknown)
// source: security/v1/peer_authentication.proto
// $schema: istio.security.v1.PeerAuthentication
// $title: PeerAuthentication
// $description: Peer authentication configuration for workloads.
// $location: https://istio.io/docs/reference/config/security/peer_authentication.html
// $aliases: [/docs/reference/config/security/v1/peer_authentication]
// $mode: none
package v1
import (
protoreflect "google.golang.org/protobuf/reflect/protoreflect"
protoimpl "google.golang.org/protobuf/runtime/protoimpl"
v1beta1 "istio.io/api/type/v1beta1"
reflect "reflect"
sync "sync"
)
const (
// Verify that this generated code is sufficiently up-to-date.
_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
// Verify that runtime/protoimpl is sufficiently up-to-date.
_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
)
type PeerAuthentication_MutualTLS_Mode int32
const (
// Inherit from parent, if has one. Otherwise treated as `PERMISSIVE`.
PeerAuthentication_MutualTLS_UNSET PeerAuthentication_MutualTLS_Mode = 0
// Connection is not tunneled.
PeerAuthentication_MutualTLS_DISABLE PeerAuthentication_MutualTLS_Mode = 1
// Connection can be either plaintext or mTLS tunnel.
PeerAuthentication_MutualTLS_PERMISSIVE PeerAuthentication_MutualTLS_Mode = 2
// Connection is an mTLS tunnel (TLS with client cert must be presented).
PeerAuthentication_MutualTLS_STRICT PeerAuthentication_MutualTLS_Mode = 3
)
// Enum value maps for PeerAuthentication_MutualTLS_Mode.
var (
PeerAuthentication_MutualTLS_Mode_name = map[int32]string{
0: "UNSET",
1: "DISABLE",
2: "PERMISSIVE",
3: "STRICT",
}
PeerAuthentication_MutualTLS_Mode_value = map[string]int32{
"UNSET": 0,
"DISABLE": 1,
"PERMISSIVE": 2,
"STRICT": 3,
}
)
func (x PeerAuthentication_MutualTLS_Mode) Enum() *PeerAuthentication_MutualTLS_Mode {
p := new(PeerAuthentication_MutualTLS_Mode)
*p = x
return p
}
func (x PeerAuthentication_MutualTLS_Mode) String() string {
return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
}
func (PeerAuthentication_MutualTLS_Mode) Descriptor() protoreflect.EnumDescriptor {
return file_security_v1_peer_authentication_proto_enumTypes[0].Descriptor()
}
func (PeerAuthentication_MutualTLS_Mode) Type() protoreflect.EnumType {
return &file_security_v1_peer_authentication_proto_enumTypes[0]
}
func (x PeerAuthentication_MutualTLS_Mode) Number() protoreflect.EnumNumber {
return protoreflect.EnumNumber(x)
}
// Deprecated: Use PeerAuthentication_MutualTLS_Mode.Descriptor instead.
func (PeerAuthentication_MutualTLS_Mode) EnumDescriptor() ([]byte, []int) {
return file_security_v1_peer_authentication_proto_rawDescGZIP(), []int{0, 0, 0}
}
// PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar.
//
// Examples:
//
// Policy to allow mTLS traffic for all workloads under namespace `foo`:
// ```yaml
// apiVersion: security.istio.io/v1
// kind: PeerAuthentication
// metadata:
//
// name: default
// namespace: foo
//
// spec:
//
// mtls:
// mode: STRICT
//
// ```
// For mesh level, put the policy in root-namespace according to your Istio installation.
//
// Policies to allow both mTLS and plaintext traffic for all workloads under namespace `foo`, but
// require mTLS for workload `finance`.
// ```yaml
// apiVersion: security.istio.io/v1
// kind: PeerAuthentication
// metadata:
//
// name: default
// namespace: foo
//
// spec:
//
// mtls:
// mode: PERMISSIVE
//
// ---
// apiVersion: security.istio.io/v1
// kind: PeerAuthentication
// metadata:
//
// name: finance
// namespace: foo
//
// spec:
//
// selector:
// matchLabels:
// app: finance
// mtls:
// mode: STRICT
//
// ```
// Policy that enables strict mTLS for all workloads, but leaves the port `8080` to
// plaintext. Note the port value in the `portLevelMtls` field refers to the port
// of the workload, not the port of the Kubernetes service.
// ```yaml
// apiVersion: security.istio.io/v1
// kind: PeerAuthentication
// metadata:
//
// name: default
// namespace: foo
//
// spec:
//
// selector:
// matchLabels:
// app: finance
// mtls:
// mode: STRICT
// portLevelMtls:
// 8080:
// mode: DISABLE
//
// ```
// Policy that inherits mTLS mode from namespace (or mesh) settings, and disables
// mTLS for workload port `8080`.
// ```yaml
// apiVersion: security.istio.io/v1
// kind: PeerAuthentication
// metadata:
//
// name: default
// namespace: foo
//
// spec:
//
// selector:
// matchLabels:
// app: finance
// mtls:
// mode: UNSET
// portLevelMtls:
// 8080:
// mode: DISABLE
//
// ```
//
// <!-- crd generation tags
// +cue-gen:PeerAuthentication:groupName:security.istio.io
// +cue-gen:PeerAuthentication:version:v1
// +cue-gen:PeerAuthentication:annotations:helm.sh/resource-policy=keep
// +cue-gen:PeerAuthentication:labels:app=istio-pilot,chart=istio,istio=security,heritage=Tiller,release=istio
// +cue-gen:PeerAuthentication:subresource:status
// +cue-gen:PeerAuthentication:scope:Namespaced
// +cue-gen:PeerAuthentication:resource:categories=istio-io,security-istio-io,shortNames=pa
// +cue-gen:PeerAuthentication:preserveUnknownFields:false
// +cue-gen:PeerAuthentication:printerColumn:name=Mode,type=string,JSONPath=.spec.mtls.mode,description="Defines the mTLS mode used for peer authentication."
// +cue-gen:PeerAuthentication:printerColumn:name=Age,type=date,JSONPath=.metadata.creationTimestamp,description="CreationTimestamp is a timestamp
// representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations.
// Clients may not set this value. It is represented in RFC3339 form and is in UTC.
// Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata"
// -->
//
// <!-- go code generation tags
// +kubetype-gen
// +kubetype-gen:groupVersion=security.istio.io/v1
// +genclient
// +k8s:deepcopy-gen=true
// -->
// <!-- istio code generation tags
// +istio.io/sync-from:security/v1beta1/peer_authentication.proto
// -->
type PeerAuthentication struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
// The selector determines the workloads to apply the PeerAuthentication on. The selector will match with workloads in the
// same namespace as the policy. If the policy is in the root namespace, the selector will additionally match with workloads in all namespace.
//
// If not set, the policy will be applied to all workloads in the same namespace as the policy. If it is in the root namespace, it would be applied
// to all workloads in the mesh.
Selector *v1beta1.WorkloadSelector `protobuf:"bytes,1,opt,name=selector,proto3" json:"selector,omitempty"`
// Mutual TLS settings for workload. If not defined, inherit from parent.
Mtls *PeerAuthentication_MutualTLS `protobuf:"bytes,2,opt,name=mtls,proto3" json:"mtls,omitempty"`
// Port specific mutual TLS settings. These only apply when a workload selector
// is specified. The port refers to the port of the workload, not the port of the
// Kubernetes service.
PortLevelMtls map[uint32]*PeerAuthentication_MutualTLS `protobuf:"bytes,3,rep,name=port_level_mtls,json=portLevelMtls,proto3" json:"port_level_mtls,omitempty" protobuf_key:"varint,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
}
func (x *PeerAuthentication) Reset() {
*x = PeerAuthentication{}
if protoimpl.UnsafeEnabled {
mi := &file_security_v1_peer_authentication_proto_msgTypes[0]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
}
func (x *PeerAuthentication) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*PeerAuthentication) ProtoMessage() {}
func (x *PeerAuthentication) ProtoReflect() protoreflect.Message {
mi := &file_security_v1_peer_authentication_proto_msgTypes[0]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use PeerAuthentication.ProtoReflect.Descriptor instead.
func (*PeerAuthentication) Descriptor() ([]byte, []int) {
return file_security_v1_peer_authentication_proto_rawDescGZIP(), []int{0}
}
func (x *PeerAuthentication) GetSelector() *v1beta1.WorkloadSelector {
if x != nil {
return x.Selector
}
return nil
}
func (x *PeerAuthentication) GetMtls() *PeerAuthentication_MutualTLS {
if x != nil {
return x.Mtls
}
return nil
}
func (x *PeerAuthentication) GetPortLevelMtls() map[uint32]*PeerAuthentication_MutualTLS {
if x != nil {
return x.PortLevelMtls
}
return nil
}
// Mutual TLS settings.
type PeerAuthentication_MutualTLS struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
// Defines the mTLS mode used for peer authentication.
Mode PeerAuthentication_MutualTLS_Mode `protobuf:"varint,1,opt,name=mode,proto3,enum=istio.security.v1.PeerAuthentication_MutualTLS_Mode" json:"mode,omitempty"`
}
func (x *PeerAuthentication_MutualTLS) Reset() {
*x = PeerAuthentication_MutualTLS{}
if protoimpl.UnsafeEnabled {
mi := &file_security_v1_peer_authentication_proto_msgTypes[1]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
}
func (x *PeerAuthentication_MutualTLS) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*PeerAuthentication_MutualTLS) ProtoMessage() {}
func (x *PeerAuthentication_MutualTLS) ProtoReflect() protoreflect.Message {
mi := &file_security_v1_peer_authentication_proto_msgTypes[1]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use PeerAuthentication_MutualTLS.ProtoReflect.Descriptor instead.
func (*PeerAuthentication_MutualTLS) Descriptor() ([]byte, []int) {
return file_security_v1_peer_authentication_proto_rawDescGZIP(), []int{0, 0}
}
func (x *PeerAuthentication_MutualTLS) GetMode() PeerAuthentication_MutualTLS_Mode {
if x != nil {
return x.Mode
}
return PeerAuthentication_MutualTLS_UNSET
}
var File_security_v1_peer_authentication_proto protoreflect.FileDescriptor
var file_security_v1_peer_authentication_proto_rawDesc = []byte{
0x0a, 0x25, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x2f, 0x70, 0x65,
0x65, 0x72, 0x5f, 0x61, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f,
0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x11, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x73,
0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x1a, 0x1b, 0x74, 0x79, 0x70, 0x65,
0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2f, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f,
0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x84, 0x04, 0x0a, 0x12, 0x50, 0x65, 0x65, 0x72,
0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x40,
0x0a, 0x08, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b,
0x32, 0x24, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x2e, 0x76, 0x31,
0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x53, 0x65,
0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x52, 0x08, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72,
0x12, 0x43, 0x0a, 0x04, 0x6d, 0x74, 0x6c, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2f,
0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2e,
0x76, 0x31, 0x2e, 0x50, 0x65, 0x65, 0x72, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63,
0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x4d, 0x75, 0x74, 0x75, 0x61, 0x6c, 0x54, 0x4c, 0x53, 0x52,
0x04, 0x6d, 0x74, 0x6c, 0x73, 0x12, 0x60, 0x0a, 0x0f, 0x70, 0x6f, 0x72, 0x74, 0x5f, 0x6c, 0x65,
0x76, 0x65, 0x6c, 0x5f, 0x6d, 0x74, 0x6c, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x38,
0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2e,
0x76, 0x31, 0x2e, 0x50, 0x65, 0x65, 0x72, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63,
0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x50, 0x6f, 0x72, 0x74, 0x4c, 0x65, 0x76, 0x65, 0x6c, 0x4d,
0x74, 0x6c, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0d, 0x70, 0x6f, 0x72, 0x74, 0x4c, 0x65,
0x76, 0x65, 0x6c, 0x4d, 0x74, 0x6c, 0x73, 0x1a, 0x91, 0x01, 0x0a, 0x09, 0x4d, 0x75, 0x74, 0x75,
0x61, 0x6c, 0x54, 0x4c, 0x53, 0x12, 0x48, 0x0a, 0x04, 0x6d, 0x6f, 0x64, 0x65, 0x18, 0x01, 0x20,
0x01, 0x28, 0x0e, 0x32, 0x34, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x73, 0x65, 0x63, 0x75,
0x72, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x50, 0x65, 0x65, 0x72, 0x41, 0x75, 0x74, 0x68,
0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x4d, 0x75, 0x74, 0x75, 0x61,
0x6c, 0x54, 0x4c, 0x53, 0x2e, 0x4d, 0x6f, 0x64, 0x65, 0x52, 0x04, 0x6d, 0x6f, 0x64, 0x65, 0x22,
0x3a, 0x0a, 0x04, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x09, 0x0a, 0x05, 0x55, 0x4e, 0x53, 0x45, 0x54,
0x10, 0x00, 0x12, 0x0b, 0x0a, 0x07, 0x44, 0x49, 0x53, 0x41, 0x42, 0x4c, 0x45, 0x10, 0x01, 0x12,
0x0e, 0x0a, 0x0a, 0x50, 0x45, 0x52, 0x4d, 0x49, 0x53, 0x53, 0x49, 0x56, 0x45, 0x10, 0x02, 0x12,
0x0a, 0x0a, 0x06, 0x53, 0x54, 0x52, 0x49, 0x43, 0x54, 0x10, 0x03, 0x1a, 0x71, 0x0a, 0x12, 0x50,
0x6f, 0x72, 0x74, 0x4c, 0x65, 0x76, 0x65, 0x6c, 0x4d, 0x74, 0x6c, 0x73, 0x45, 0x6e, 0x74, 0x72,
0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x03,
0x6b, 0x65, 0x79, 0x12, 0x45, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01,
0x28, 0x0b, 0x32, 0x2f, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x73, 0x65, 0x63, 0x75, 0x72,
0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x50, 0x65, 0x65, 0x72, 0x41, 0x75, 0x74, 0x68, 0x65,
0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x4d, 0x75, 0x74, 0x75, 0x61, 0x6c,
0x54, 0x4c, 0x53, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x1a,
0x5a, 0x18, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x73,
0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
0x6f, 0x33,
}
var (
file_security_v1_peer_authentication_proto_rawDescOnce sync.Once
file_security_v1_peer_authentication_proto_rawDescData = file_security_v1_peer_authentication_proto_rawDesc
)
func file_security_v1_peer_authentication_proto_rawDescGZIP() []byte {
file_security_v1_peer_authentication_proto_rawDescOnce.Do(func() {
file_security_v1_peer_authentication_proto_rawDescData = protoimpl.X.CompressGZIP(file_security_v1_peer_authentication_proto_rawDescData)
})
return file_security_v1_peer_authentication_proto_rawDescData
}
var file_security_v1_peer_authentication_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
var file_security_v1_peer_authentication_proto_msgTypes = make([]protoimpl.MessageInfo, 3)
var file_security_v1_peer_authentication_proto_goTypes = []interface{}{
(PeerAuthentication_MutualTLS_Mode)(0), // 0: istio.security.v1.PeerAuthentication.MutualTLS.Mode
(*PeerAuthentication)(nil), // 1: istio.security.v1.PeerAuthentication
(*PeerAuthentication_MutualTLS)(nil), // 2: istio.security.v1.PeerAuthentication.MutualTLS
nil, // 3: istio.security.v1.PeerAuthentication.PortLevelMtlsEntry
(*v1beta1.WorkloadSelector)(nil), // 4: istio.type.v1beta1.WorkloadSelector
}
var file_security_v1_peer_authentication_proto_depIdxs = []int32{
4, // 0: istio.security.v1.PeerAuthentication.selector:type_name -> istio.type.v1beta1.WorkloadSelector
2, // 1: istio.security.v1.PeerAuthentication.mtls:type_name -> istio.security.v1.PeerAuthentication.MutualTLS
3, // 2: istio.security.v1.PeerAuthentication.port_level_mtls:type_name -> istio.security.v1.PeerAuthentication.PortLevelMtlsEntry
0, // 3: istio.security.v1.PeerAuthentication.MutualTLS.mode:type_name -> istio.security.v1.PeerAuthentication.MutualTLS.Mode
2, // 4: istio.security.v1.PeerAuthentication.PortLevelMtlsEntry.value:type_name -> istio.security.v1.PeerAuthentication.MutualTLS
5, // [5:5] is the sub-list for method output_type
5, // [5:5] is the sub-list for method input_type
5, // [5:5] is the sub-list for extension type_name
5, // [5:5] is the sub-list for extension extendee
0, // [0:5] is the sub-list for field type_name
}
func init() { file_security_v1_peer_authentication_proto_init() }
func file_security_v1_peer_authentication_proto_init() {
if File_security_v1_peer_authentication_proto != nil {
return
}
if !protoimpl.UnsafeEnabled {
file_security_v1_peer_authentication_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
switch v := v.(*PeerAuthentication); i {
case 0:
return &v.state
case 1:
return &v.sizeCache
case 2:
return &v.unknownFields
default:
return nil
}
}
file_security_v1_peer_authentication_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
switch v := v.(*PeerAuthentication_MutualTLS); i {
case 0:
return &v.state
case 1:
return &v.sizeCache
case 2:
return &v.unknownFields
default:
return nil
}
}
}
type x struct{}
out := protoimpl.TypeBuilder{
File: protoimpl.DescBuilder{
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: file_security_v1_peer_authentication_proto_rawDesc,
NumEnums: 1,
NumMessages: 3,
NumExtensions: 0,
NumServices: 0,
},
GoTypes: file_security_v1_peer_authentication_proto_goTypes,
DependencyIndexes: file_security_v1_peer_authentication_proto_depIdxs,
EnumInfos: file_security_v1_peer_authentication_proto_enumTypes,
MessageInfos: file_security_v1_peer_authentication_proto_msgTypes,
}.Build()
File_security_v1_peer_authentication_proto = out.File
file_security_v1_peer_authentication_proto_rawDesc = nil
file_security_v1_peer_authentication_proto_goTypes = nil
file_security_v1_peer_authentication_proto_depIdxs = nil
}

168
security/v1/peer_authentication.proto Normal file
View File

@ -0,0 +1,168 @@
// Copyright 2020 Istio Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = "proto3";
import "type/v1beta1/selector.proto";
// $schema: istio.security.v1.PeerAuthentication
// $title: PeerAuthentication
// $description: Peer authentication configuration for workloads.
// $location: https://istio.io/docs/reference/config/security/peer_authentication.html
// $aliases: [/docs/reference/config/security/v1/peer_authentication]
// $mode: none
package istio.security.v1;
option go_package="istio.io/api/security/v1";
// PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar.
//
// Examples:
//
// Policy to allow mTLS traffic for all workloads under namespace `foo`:
// ```yaml
// apiVersion: security.istio.io/v1
// kind: PeerAuthentication
// metadata:
// name: default
// namespace: foo
// spec:
// mtls:
// mode: STRICT
// ```
// For mesh level, put the policy in root-namespace according to your Istio installation.
//
// Policies to allow both mTLS and plaintext traffic for all workloads under namespace `foo`, but
// require mTLS for workload `finance`.
// ```yaml
// apiVersion: security.istio.io/v1
// kind: PeerAuthentication
// metadata:
// name: default
// namespace: foo
// spec:
// mtls:
// mode: PERMISSIVE
// ---
// apiVersion: security.istio.io/v1
// kind: PeerAuthentication
// metadata:
// name: finance
// namespace: foo
// spec:
// selector:
// matchLabels:
// app: finance
// mtls:
// mode: STRICT
// ```
// Policy that enables strict mTLS for all workloads, but leaves the port `8080` to
// plaintext. Note the port value in the `portLevelMtls` field refers to the port
// of the workload, not the port of the Kubernetes service.
// ```yaml
// apiVersion: security.istio.io/v1
// kind: PeerAuthentication
// metadata:
// name: default
// namespace: foo
// spec:
// selector:
// matchLabels:
// app: finance
// mtls:
// mode: STRICT
// portLevelMtls:
// 8080:
// mode: DISABLE
// ```
// Policy that inherits mTLS mode from namespace (or mesh) settings, and disables
// mTLS for workload port `8080`.
// ```yaml
// apiVersion: security.istio.io/v1
// kind: PeerAuthentication
// metadata:
// name: default
// namespace: foo
// spec:
// selector:
// matchLabels:
// app: finance
// mtls:
// mode: UNSET
// portLevelMtls:
// 8080:
// mode: DISABLE
// ```
//
// <!-- crd generation tags
// +cue-gen:PeerAuthentication:groupName:security.istio.io
// +cue-gen:PeerAuthentication:version:v1
// +cue-gen:PeerAuthentication:annotations:helm.sh/resource-policy=keep
// +cue-gen:PeerAuthentication:labels:app=istio-pilot,chart=istio,istio=security,heritage=Tiller,release=istio
// +cue-gen:PeerAuthentication:subresource:status
// +cue-gen:PeerAuthentication:scope:Namespaced
// +cue-gen:PeerAuthentication:resource:categories=istio-io,security-istio-io,shortNames=pa
// +cue-gen:PeerAuthentication:preserveUnknownFields:false
// +cue-gen:PeerAuthentication:printerColumn:name=Mode,type=string,JSONPath=.spec.mtls.mode,description="Defines the mTLS mode used for peer authentication."
// +cue-gen:PeerAuthentication:printerColumn:name=Age,type=date,JSONPath=.metadata.creationTimestamp,description="CreationTimestamp is a timestamp
// representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations.
// Clients may not set this value. It is represented in RFC3339 form and is in UTC.
// Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata"
// -->
//
// <!-- go code generation tags
// +kubetype-gen
// +kubetype-gen:groupVersion=security.istio.io/v1
// +genclient
// +k8s:deepcopy-gen=true
// -->
// <!-- istio code generation tags
// +istio.io/sync-from:security/v1beta1/peer_authentication.proto
// -->
message PeerAuthentication {
// The selector determines the workloads to apply the PeerAuthentication on. The selector will match with workloads in the
// same namespace as the policy. If the policy is in the root namespace, the selector will additionally match with workloads in all namespace.
//
// If not set, the policy will be applied to all workloads in the same namespace as the policy. If it is in the root namespace, it would be applied
// to all workloads in the mesh.
istio.type.v1beta1.WorkloadSelector selector = 1;
// Mutual TLS settings.
message MutualTLS {
enum Mode {
// Inherit from parent, if has one. Otherwise treated as `PERMISSIVE`.
UNSET = 0;
// Connection is not tunneled.
DISABLE = 1;
// Connection can be either plaintext or mTLS tunnel.
PERMISSIVE = 2;
// Connection is an mTLS tunnel (TLS with client cert must be presented).
STRICT = 3;
}
// Defines the mTLS mode used for peer authentication.
Mode mode = 1;
}
// Mutual TLS settings for workload. If not defined, inherit from parent.
MutualTLS mtls = 2;
// Port specific mutual TLS settings. These only apply when a workload selector
// is specified. The port refers to the port of the workload, not the port of the
// Kubernetes service.
map<uint32, MutualTLS> port_level_mtls = 3;
}

48
security/v1/peer_authentication_deepcopy.gen.go generated Normal file
View File

@ -0,0 +1,48 @@
// Code generated by protoc-gen-deepcopy. DO NOT EDIT.
package v1
import (
proto "google.golang.org/protobuf/proto"
)
// DeepCopyInto supports using PeerAuthentication within kubernetes types, where deepcopy-gen is used.
func (in *PeerAuthentication) DeepCopyInto(out *PeerAuthentication) {
p := proto.Clone(in).(*PeerAuthentication)
*out = *p
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PeerAuthentication. Required by controller-gen.
func (in *PeerAuthentication) DeepCopy() *PeerAuthentication {
if in == nil {
return nil
}
out := new(PeerAuthentication)
in.DeepCopyInto(out)
return out
}
// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new PeerAuthentication. Required by controller-gen.
func (in *PeerAuthentication) DeepCopyInterface() interface{} {
return in.DeepCopy()
}
// DeepCopyInto supports using PeerAuthentication_MutualTLS within kubernetes types, where deepcopy-gen is used.
func (in *PeerAuthentication_MutualTLS) DeepCopyInto(out *PeerAuthentication_MutualTLS) {
p := proto.Clone(in).(*PeerAuthentication_MutualTLS)
*out = *p
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PeerAuthentication_MutualTLS. Required by controller-gen.
func (in *PeerAuthentication_MutualTLS) DeepCopy() *PeerAuthentication_MutualTLS {
if in == nil {
return nil
}
out := new(PeerAuthentication_MutualTLS)
in.DeepCopyInto(out)
return out
}
// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new PeerAuthentication_MutualTLS. Required by controller-gen.
func (in *PeerAuthentication_MutualTLS) DeepCopyInterface() interface{} {
return in.DeepCopy()
}

34
security/v1/peer_authentication_json.gen.go generated Normal file
View File

@ -0,0 +1,34 @@
// Code generated by protoc-gen-jsonshim. DO NOT EDIT.
package v1
import (
bytes "bytes"
jsonpb "github.com/golang/protobuf/jsonpb"
)
// MarshalJSON is a custom marshaler for PeerAuthentication
func (this *PeerAuthentication) MarshalJSON() ([]byte, error) {
str, err := PeerAuthenticationMarshaler.MarshalToString(this)
return []byte(str), err
}
// UnmarshalJSON is a custom unmarshaler for PeerAuthentication
func (this *PeerAuthentication) UnmarshalJSON(b []byte) error {
return PeerAuthenticationUnmarshaler.Unmarshal(bytes.NewReader(b), this)
}
// MarshalJSON is a custom marshaler for PeerAuthentication_MutualTLS
func (this *PeerAuthentication_MutualTLS) MarshalJSON() ([]byte, error) {
str, err := PeerAuthenticationMarshaler.MarshalToString(this)
return []byte(str), err
}
// UnmarshalJSON is a custom unmarshaler for PeerAuthentication_MutualTLS
func (this *PeerAuthentication_MutualTLS) UnmarshalJSON(b []byte) error {
return PeerAuthenticationUnmarshaler.Unmarshal(bytes.NewReader(b), this)
}
var (
PeerAuthenticationMarshaler = &jsonpb.Marshaler{}
PeerAuthenticationUnmarshaler = &jsonpb.Unmarshaler{AllowUnknownFields: true}
)

3
security/v1beta1/peer_authentication.pb.go generated
View File

@ -219,6 +219,9 @@ func (PeerAuthentication_MutualTLS_Mode) EnumDescriptor() ([]byte, []int) {
// +genclient
// +k8s:deepcopy-gen=true
// -->
// <!-- istio code generation tags
// +istio.io/sync-start
// -->
type PeerAuthentication struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache

3
security/v1beta1/peer_authentication.proto
View File

@ -127,6 +127,9 @@ option go_package="istio.io/api/security/v1beta1";
// +genclient
// +k8s:deepcopy-gen=true
// -->
// <!-- istio code generation tags
// +istio.io/sync-start
// -->
message PeerAuthentication {
// The selector determines the workloads to apply the PeerAuthentication on. The selector will match with workloads in the
// same namespace as the policy. If the policy is in the root namespace, the selector will additionally match with workloads in all namespace.